Use iptables in Linux to implement port forwarding

I have read a lot of articles about using Iptables to implement port forwarding, but I don't feel very clear about the problem. now I have joined my own setup and usage experience and talked about its implementation process. we have a computer with two Nics. eth0 is connected to the Internet, and the ip address is 1.2.3.4. eth1 is connected to the intranet, and the ip address is 192.168.0.1. now you need to set the ip address that is sent to Port 81 of the address 1.2.3.4

I have read a lot about Iptables implementation.PortForwardingBut I don't feel very clear about the problem. now I am joining my own experience in setting and using it and talking about its implementation process.

We have a computer with two Nics. eth0 is connected to the Internet, and the ip address is 1.2.3.4; eth1 is connected to the intranet, and the ip address is 192.168.0.1. now we need to send the ip address to 81 at 1.2.3.4.PortIP packageForwardingTo the 8180 IP address of 192.168.0.2PortThe settings are as follows:

1. Iptables-t nat-a prerouting-d 1.2.3.4-p tcp-m tcp -- dport 81-j DNAT -- to-destination192.168.0.2: 8180

2. Iptables-t nat-a postrouting-s 192.168.0.0/255.255.0.0-d192.168.0.2-p tcp-m tcp -- dport 8180-j SNAT -- to-source192.168.0.1

The actual transmission process is as follows:

Assume that the IP address of a client is 6.7.8.9, and it uses 1080 of the local machine.PortConnect to 81 of 1.2.3.4PortThe source IP address of the sent IP package is 6.7.8.9.PortThe destination address is 1080, and the destination address is 1.2.3.4.Port81.

After the host 1.2.3.4 receives the packet, it changes the destination address of the packet to 192.168.0.2 according to the first rule in the nat table.PortThis value is 8180. at the same time, create an entry in the connection trace table (which can be seen in the/proc/net/ip_conntrack file), and then send it to the routing module to check the route table, confirm that the IP package should be sent to the eth1 interface. before sending the IP packet to the eth1 interface, according to the second rule in the nat table, if the IP packet comes from the same subnet, the source address of the IP packet is changed to 192.168.0.1, update the corresponding entries in the connection trace table and send them to the eth1 interface.

In this case, there is an item in the connection tracking table:

Connection entry: src = 6.7.8.9 dst = 1.2.3.4 sport = 1080 dport = 81

Connection return: src = 192.168.0.2 dst = 6.7.8.9 sport = 8180 dport = 1080

Use or not: use = 1

The IP packet sent back from 192.168.0.2, the sourcePortIs 8180, and the destination address is 6.7.8.9.PortThe value is 1080. after the TCP/IP stack of host 1.2.3.4 receives the IP packet, the core searches for whether the connection return column in the connection trace table has the same source and destination addresses andPortAfter finding the matching item, change the source address of the IP package from 192.168.0.2 to 1.2.3.4 according to the record in the entry.PortFrom 8180 to 81 for the purposePort1080 does not change. in this way, the server's return packet can correctly return the client initiating the connection, and the communication starts like this.

Another point is that the filter table should also allow the connection from eth0 to 8180 of 192.168.0.2.Port:

Iptables-a input-d 192.168.0.2-p tcp-m tcp -- dport 8180-ieth0-j ACCEPT