How to use iptables for port forwarding in Linux

Source: Internet
Author: User
We have a computer with two Nics. eth0 is connected to the Internet, and the ip address is 1.2.3.4. eth1 is connected to the intranet, and the ip address is 1Array2. 168.0.1. now we need to forward the IP packet sent to Port 81 of port 1.2.3.4 to IP address 1Array2. port 8180 of 168.0.2, set as follows: 1. iptables-tnat-APREROUTING-d1.2.3.4-p we have a computer, there are two NICs, eth0 connected to the Internet, ip is 1.2.3.4; eth1 connected to the intranet, ip is 1Array2. 168.0.1. now we need to forward the IP packet sent to Port 81 of port 1.2.3.4 to IP address 1Array2. set Port 8180 of 168.0.2 as follows:

1.Iptables-T nat-a prerouting-d 1.2.3.4-p tcp-m tcp -- dport 81-j DNAT -- to-destination1Array2.168.0.2: 8180

2. iptables-t nat-a postrouting-s1array00000.0/255.255.0.0-d 1Array2. 168.0.2-p tcp-m tcp -- dport 8180-j SNAT -- to-source 1Array2. 168.0.1

The actual transmission process is as follows:

Assume that the IP address of a client is 6.7.8.Array. it uses port 1080 of the local machine to connect Port 81 of port 1.2.3.4. the source IP address of the sent IP package is 6.7.8.Array, the source port is 1080, and the destination address is 1.2.3.4, the destination port is 81.

After the host 1.2.3.4 receives the packet, it changes the destination address of the packet to 1Array2 according to the first rule in the nat table. 168.0.2, the destination port is 8180, and an entry is created in the connection trace table (which can be seen in the/proc/net/ip_conntrack file), and then sent to the routing module, check the route table to confirm that the IP packet should be sent to the eth1 interface. before sending the IP packet to the eth1 interface, according to the second rule in the nat table, if the IP packet comes from the same subnet, change the source address of the IP packet to 1Array2. 168.0.1, update the corresponding entries in the connection trace table at the same time, and send them to the eth1 interface.

In this case, there is an item in the connection tracking table:

Connection entry: src = 6.7.8.Array dst = 1.2.3.4 sport = 1080 dport = 81

Connection return: src = 1Array2. 168.0.2 dst = 6.7.8.Array sport = 8180 dport = 1080

Use or not: use = 1

From 1Array2. 168.0.2 sends back an IP packet. the Source port is 8180, the destination address is 6.7.8.Array, and the destination port is 1080. after the TCP/IP stack of host 1.2.3.4 receives the IP packet, check whether there is a match between the same source and destination addresses and ports in the connection return column in the connection tracking table of the core. after finding the match, set the source address of the IP package from 1Array2 according to the record in the entry. for 168.0.2, set this parameter to 1.2.3.4, set the source port from 8180 to 81, and keep the target port number 1080 unchanged. in this way, the server's return packet can correctly return the client initiating the connection, and the communication starts like this.

Also, in the filter table, Port 8180 of 1Array2. 168.0.2 address should be allowed to be connected from eth0:

Iptables-a input-d 1Array2. 168.0.2-p tcp-m tcp -- dport8180-I eth0-j ACCEPT


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.