# NAT类型
1. SNAT（源地址转换）：地址伪装
2. DNAT（目标地址转换）：端口转发
3. MASQUERADE：动态地址伪装

# 应用场景
– 端口映射：外网访问内网服务
– 地址伪装：内网访问外网
– 负载均衡：流量分发

# 配置策略
1. 明确转发需求
2.更多视频教程www.fgedu.net.cn 规划端口映射关系
3. 测试验证配置
4. 监控NAT连接

# 端口转发：将外部80端口转发到内部8080端口
$ firewall-cmd –permanent –add-forward-port=port=80:proto=tcp:toport=8080
success

# 端口转发到另一台服务器
$ firewall-cmd –permanent –add-forward-port=port=80:proto=tcp:toaddr=192.168.1.100
success

# 端口转发到另一台服务器的不同端口
$ firewall-cmd –permanent –add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.1.100
success

# 重载配置
$ firewall-cmd –reload
success

# 查看端口转发规则
$ firewall-cmd –list-forward-ports
port=80:proto=tcp:toport=8080:toaddr=

# 启用地址伪装
$ firewall-cmd –permanent –add-masquerade
success

# 在指定区域启用
$ firewall-cmd –permanent –zone=external –add-masquerade
success

# 查看地址伪装状态
$ firewall-cmd –list-all | grep masquerade
masquerade: yes

# 移除地址伪装
$ firewall-cmd –permanent –remove-masquerade
success

# 重载配置
$ firewall-cmd –reload
success

# 使用富规则配置端口转发
$ firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ forward-port port=”80″ protocol=”tcp” to-port=”8080″‘
success

# 限制源地址的端口转发
$ firewall-cmd –permanent –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ forward-port port=”80″ protocol=”tcp” to-port=”8080″‘
success

# 查看富规则
$ firewall-cmd –list-rich-rules
rule family=”ipv4″ forward-port port=”80″ protocol=”tcp” to-port=”8080″

# 场景：将外部80端口转发到内部Tomcat的8080端口

# 1. 启用地址伪装
$ firewall-cmd –permanent –add-masquerade

# 2. 配置端口转发
$ firewall-cmd –permanent –add-forward-port=port=80:proto=tcp:toport=8080

# 3. 重载配置
$ firewall-cmd –reload

# 4. 验证配置
$ firewall-cmd –list-all
public (active)
masquerade: yes
forward-ports: port=80:proto=tcp:toport=8080:toaddr=

# 5. 测试访问
$ curl http://localhost