DNS与Linux防火墙
1、简述DNS服务器原理,并搭建主-辅服务器。
DNS:domain name system,域名系统。一般指的时internet上的一项服务,即域名解析服务,具体来说就是提供网站域名与对应IP地址相互转换的一项服务。分为两种,正向解析:将给定的网站域名转化为对应IP地址;反向解析:将IP地址转换为对应的网站域名。一般只使用正向解析,另外一个IP地址可以多个网站域名,这些网站域名存在别名列表中,是主域名的别名。
1:搭建主-辅服务器准备要求:
四台主机:
DNS主服务器:10.0.0.8
DNS从服务器:10.0.0.28
web服务器:10.0.0.38
DNS客户端:10.0.0.48
2:前提准备
关闭SElinux
关闭防火墙
时间同步
3:搭建主DNS服务端
[16:21:08 root@CentOS8 ~]\ [#hostnamectl set-hostname master
[16:25:08 root@master ~]\ [#yum -y install bind
[16:28:02 root@master ~]\ [#cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
// listen-on port 53 { 127.0.0.1; }; ##注释此行
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
// allow-query { localhost; }; ##注释此行
allow-transfer { 10.0.0.28;}; ##添加运行从服务器访问
......
[16:30:50 root@master ~]\ [#cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
zone "magedu.org" IN { ##添加此段
type master; ##添加此段
file "magedu.org.zone"; ##添加此段
}; ##添加此段
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
......
[16:30:57 root@master ~]\ [#cp -p /var/named/named.localhost /var/named/magedu.org.zone
[16:35:33 root@master ~]\ [#cat /var/named/magedu.org.zone
$TTL 1D
@ IN SOA master admin.magedu.org. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 10.0.0.8
slave A 10.0.0.28
[16:41:56 root@master ~]\ [#named-checkconf
[16:41:58 root@master ~]\ [#systemctl start named
4:搭建DNS从服务器
[16:57:03 root@CentOS8 ~]\ [#hostnamectl set-hostname slave
[16:58:21 root@CentOS8 ~]\ [#yum install bind -y
[17:00:05 root@CentOS8 ~]\ [#cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
// listen-on port 53 { 127.0.0.1; }; ##注释此行
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
// allow-query { localhost; }; ##注释此行
allow-transfer { none; }; ##加此行,不允许其他主机传输
/*
......
[17:02:44 root@CentOS8 ~]\ [#cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
zone "magedu.org" { ##添加此段
type slave; ##添加此段
masters { 10.0.0.8; }; ##添加此段
file "slaves/magedu.org.slave"; ##添加此段
}; ##添加此段
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
5:web服务器设置
[root@CentOS8 ~]\ [#hostnamectl set-hostname web_service
[root@CentOS8 ~]\ [#yum install httpd
[root@CentOS8 ~]\ [#echo www.magedu.org > /var/www/html/index.html
[root@CentOS8 ~]\ [#systemctl start httpd
6:客户端测试主DNS
[18:42:11 root@CentOS8 ~]\ [#cat /etc/sysconfig/network-scripts/ifcfg-ens33
DEVICE=ens33
NAME=ens33
BOOTPROTO=static
IPADDR=10.0.0.48
PREFIX=24
GATEWAY=10.0.0.2
DNS1=10.0.0.8
DNS2=10.0.0.28
ONBOOT=yes
[18:43:52 root@CentOS8 ~]\ [#nmcli con reload
[18:44:06 root@CentOS8 ~]\ [#nmcli con up ens33
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
[18:44:11 root@CentOS8 ~]\ [#cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 10.0.0.8
nameserver 10.0.0.28
[18:44:17 root@CentOS8 ~]\ [#dig www.magedu.org
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> www.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13298
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d867874fa6be0400459d70116134add567502c8d437f56d3 (good)
;; QUESTION SECTION:
;www.magedu.org. IN A
;; ANSWER SECTION:
www.magedu.org. 86400 IN A 10.0.0.38
;; AUTHORITY SECTION:
magedu.org. 86400 IN NS slave.magedu.org.
magedu.org. 86400 IN NS master.magedu.org.
;; ADDITIONAL SECTION:
master.magedu.org. 86400 IN A 10.0.0.8
slave.magedu.org. 86400 IN A 10.0.0.28
;; Query time: 1 msec
;; SERVER: 10.0.0.8#53(10.0.0.8)
;; WHEN: Sun Sep 05 18:45:25 WIB 2021
;; MSG SIZE rcvd: 160
7:主DNS停住服务,再次验证
[18:40:27 root@master ~]\ [#systemctl stop named
[18:45:25 root@CentOS8 ~]\ [#dig www.magedu.org
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8 <<>> www.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20265
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 183e5712db8b3e8a262e5d446134ae22d8850505e77c4e05 (good)
;; QUESTION SECTION:
;www.magedu.org. IN A
;; ANSWER SECTION:
www.magedu.org. 86400 IN A 10.0.0.38
;; AUTHORITY SECTION:
magedu.org. 86400 IN NS slave.magedu.org.
magedu.org. 86400 IN NS master.magedu.org.
;; ADDITIONAL SECTION:
master.magedu.org. 86400 IN A 10.0.0.8
slave.magedu.org. 86400 IN A 10.0.0.28
;; Query time: 1 msec
;; SERVER: 10.0.0.28#53(10.0.0.28)
;; WHEN: Sun Sep 05 18:46:42 WIB 2021
;; MSG SIZE rcvd: 160
2、搭建并实现智能DNS。
1:环境准备
五台主机:
DNS主服务器和web服务器1:10.0.0.8/24,172.16.0.8/24
web服务器2:10.0.0.18/24
web服务器3:172.16.0.7/24
DNS客户端1:10.0.0.38/24
DNS客户端2:172.16.0.6/24
2:关闭SElinux,关闭防火墙,时间同步
3:DNS服务器网卡配置
21:03:45 root@DNS_master_server ~]\ [#ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:dc:b4:a9 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fedc:b4a9/64 scope link
valid_lft forever preferred_lft forever
3: virbr0: mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:55:8f:b2 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global noprefixroute virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:55:8f:b2 brd ff:ff:ff:ff:ff:ff
5: ens37: mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:dc:b4:b3 brd ff:ff:ff:ff:ff:ff
inet 172.16.0.8/24 brd 172.16.0.255 scope global ens37
valid_lft forever preferred_lft forever
4:主DNS服务端配置
[21:03:50 root@DNS_master_server ~]\ [#yum install bind -y
[21:18:57 root@DNS_master_server ~]\ [#cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl beijingnet {
10.0.0.0/24;
};
acl shanghainet {
172.16.0.0/24;
};
acl othernet {
any;
};
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
// allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
view beijingview {
match-clients { beijingnet;};
include "/etc/named.rfc1912.zones.bj";
};
view shanghaiview {
match-clients { shanghainet;};
include "/etc/named.rfc1912.zones.sh";
};
view otherview {
match-clients { othernet;};
include "/etc/named.rfc1912.zones.other";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
5:实现区域配置文件
[21:23:56 root@DNS_master_server ~]\ [#cat /etc/named.rfc1912.zones.bj
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.org" {
type master;
file "magedu.org.zone.bj";
};
[21:24:06 root@DNS_master_server ~]\ [#cat /etc/named.rfc1912.zones.sh
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.org" {
type master;
file "magedu.org.zone.sh";
};
[21:24:10 root@DNS_master_server ~]\ [#cat /etc/named.rfc1912.zones.other
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.org" {
type master;
file "magedu.org.zone.other";
};
[21:24:13 root@DNS_master_server ~]\ [#chgrp named /etc/named.rfc1912.zones.bj
[21:24:24 root@DNS_master_server ~]\ [#chgrp named /etc/named.rfc1912.zones.sh
[21:24:26 root@DNS_master_server ~]\ [#chgrp named /etc/named.rfc1912.zones.other
6:创建区域数据库文件
[21:39:58 root@DNS_master_server ~]\ [#cat /var/named/magedu.org.zone.bj
$TTL 3H
@ IN SOA admin.magedu.org. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
websrv A 10.0.0.18
www CNAME websrv
[21:40:06 root@DNS_master_server ~]\ [#cat /var/named/magedu.org.zone.sh
$TTL 3H
@ IN SOA master admin.magedu.org. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
websrv A 172.16.0.7
www CNAME websrv
[21:40:09 root@DNS_master_server ~]\ [#cat /var/named/magedu.org.zone.other
$TTL 3H
@ IN SOA master admin.magedu.org. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
websrv A 127.0.0.1
www CNAME websrv
[21:40:12 root@DNS_master_server ~]\ [#chgrp named /var/named/magedu.org.zone.bj
[21:41:12 root@DNS_master_server ~]\ [#chgrp named /var/named/magedu.org.zone.sh
[21:41:15 root@DNS_master_server ~]\ [#chgrp named /var/named/magedu.org.zone.other
7:实现不同区域服务器效果
三台主机服务器安装http服务
[21:41:18 root@DNS_master_server ~]\ [#yum -y install httpd
[21:41:28 root@web1 ~]\ [#yum -y install httpd
[21:41:44 root@web2 ~]\ [#yum -y install httpd
[21:42:52 root@DNS_master_server ~]\ [#echo www.magedu.org in other > /var/www/html/index.html
[21:44:37 root@web1 ~]\ [#echo www.magedu.org in other > /var/www/html/index.html
[21:45:22 root@web2 ~]\ [#echo www.magedu.org in other > /var/www/html/index.html
然后全部启动httpd服务
3、使用iptable实现: 放行ssh,telnet, ftp, web服务80端口,其他端口服务全部拒绝
[19:23:46 root@test1 ~]\ [#iptables -I INPUT -p tcp -m multiport --dports 21,22,23,80 -j ACCEPT
[19:24:42 root@test1 ~]\ [#iptables -A INPUT -j REJECT
[19:24:47 root@test1 ~]\ [#iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
135 10024 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,22,23,80
2245 11M LIBVIRT_INP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
......
4、NAT原理总结
NAT就是在局域网内部网络中使用内部地址,而当内部节点要与外部网络进行通讯时,就在网关处将内部地址替换为公用地址,从而在外部公网上正常使用。
修改IP数据包中的源IP地址或目标的IP地址,主要目的是把RFC1918所提议的私有地址转变成在Internet上可路由的公有合法地址。对于某些有限的应用(如DNS、FTP等),它也可以修改IP数据包有效载荷中的地址。
5、iptables实现SNAT和DNAT,并对规则持久保存。
防火墙地址:10.0.0.8/24,192.168.100.8/24
外网地址:10.0.0.6
内网地址:192.168.100.7
实现SNAT:
[root@internet-host ~]#hostname -I
10.0.0.6
[root@internet-host ~]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
#启用路由转发
[root@firewall ~]#vim /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@firewall ~]#sysctl -p
[root@firewall-host ~]#hostname -I
10.0.0.8 192.168.100.8
[root@firewall-host ~]#sysctl -a |grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
[root@lan-host ~]#hostname -I
192.168.100.7
[root@lan-host ~]#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.100.8 0.0.0.0 UG 100 0 0 eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@firewall-host ~]#iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT
--to-source 10.0.0.8
[root@firewall-host ~]#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.100.0/24 0.0.0.0/0
to:10.0.0.8
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@lan-host ~]#curl 10.0.0.6
internet Server
[root@internet-host ~]#curl 192.168.100.7
curl: (7) Failed to connect to 192.168.100.7: Network is unreachable
[root@internet-host ~]#tail /var/log/httpd/access_log
10.0.0.8 - - [21/Mar/2020:16:31:35 +0800] "GET / HTTP/1.1" 200 16 "-"
"curl/7.29.0"
[root@lan-host ~]#ping 10.0.0.6
PING 10.0.0.6 (10.0.0.6) 56(84) bytes of data.
64 bytes from 10.0.0.6: icmp_seq=1 ttl=63 time=0.989 ms
64 bytes from 10.0.0.6: icmp_seq=2 ttl=63 time=0.544 ms
[root@internet-host ~]#tcpdump -i eth0 -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:34:30.171222 IP 10.0.0.8 > 10.0.0.6: ICMP echo request, id 24718, seq 120,
length 64
16:34:30.171255 IP 10.0.0.6 > 10.0.0.8: ICMP echo reply, id 24718, seq 120,
length 64
[root@firewall-host ~]#iptables -t nat -R POSTROUTING 1 -s 192.168.100.0/24 -j
MASQUERADE
[root@firewall-host ~]#iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 192.168.100.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[root@firewall-host ~]#cat /proc/net/nf_conntrack
ipv4 2 tcp 6 32 TIME_WAIT src=192.168.100.7 dst=10.0.0.6 sport=39430
dport=80 src=10.0.0.6 dst=10.0.0.8 sport=80 dport=39430 [ASSURED] mark=0 zone=0
use=2
实现DNAT:
[root@firewall-host ~]#iptables -t nat -A PREROUTING -d 10.0.0.8 -p tcp --dport
80 -j DNAT --to-destination 192.168.100.7
[root@firewall-host ~]#iptables -t nat -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 10.0.0.8
tcp dpt:80 to:192.168.100.7
[root@firewall-host ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port
Peer Address:Port
LISTEN 0 128 0.0.0.0:22
0.0.0.0:*
LISTEN 0 128 [::]:22
[::]:*
[root@internet-host ~]#curl 10.0.0.8
lan server
[root@internet-host ~]#telnet 10.0.0.8
Trying 10.0.0.8...
telnet: connect to address 10.0.0.8: Connection refused
[root@lan-host ~]#tail -f /var/log/httpd/access_log
10.0.0.6 - - [21/Mar/2020:17:32:37 +0800] "GET / HTTP/1.1" 200 11 "-"
"curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3
libidn/1.18 libssh2/1.4.2"
[root@firewall-host ~]#tail -f /proc/net/nf_conntrack
ipv4 2 tcp 6 81 TIME_WAIT src=10.0.0.6 dst=10.0.0.8 sport=59426
dport=80 src=192.168.100.7 dst=10.0.0.6 sport=80 dport=59426 [ASSURED] mark=0
zone=0 use=2
[root@lan-host ~]#vim /etc/httpd/conf/httpd.conf
listen 8000
[root@lan-host ~]#systemctl restart httpd
[root@lan-host ~]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer
Address:Port
LISTEN 0 100 127.0.0.1:25
*:*
LISTEN 0 128 *:22
*:*
LISTEN 0 128 [::]:23
[::]:*
LISTEN 0 100 [::1]:25
[::]:*
LISTEN 0 128 [::]:8000
[::]:*
LISTEN 0 128 [::]:22
[::]:*
[root@firewall-host ~]#iptables -t nat -R PREROUTING 1 -d 10.0.0.8 -p tcp --dport
80 -j DNAT --to-destination 192.168.100.7:8000
[root@firewall-host ~]#iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 10.0.0.8
tcp dpt:80 to:192.168.100.7:8000
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
11 816 MASQUERADE all -- * * 192.168.100.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
原文:https://www.cnblogs.com/zhaoyaxuan/p/15232887.html