Linux iptables port ing settings
The iptables port ing settings are as follows:
We have a computer with two NICs. eth0 is connected to the Internet, and the ip address is 1.2.3.4. eth1 is connected to the Intranet, and the ip address is 192.168.0.1. now, you need to forward the IP packet sent to port 81 of the address 1.2.3.4 to port 8180 of the IP address 192.168.0.2. The settings are as follows:
1. iptables-t nat-a prerouting-d 1.2.3.4-p tcp-m tcp -- dport 81-j DNAT -- to-destination192.168.0.2: 8180
2. iptables-t nat-a postrouting-s 192.168.0.0/255.255.0.0-d 192.168.0.2-p tcp-m tcp -- dport 8180-j SNAT -- to-source 192.168.0.1
The actual transmission process is as follows:
Assume that the IP address of a client is 6.7.8.9. It uses port 1080 of the Local Machine to connect to port 81 of port 1.2.3.4. The source IP address of the sent IP package is 6.7.8.9, the source port is 1080, And the destination address is 1.2.3.4, the destination port is 81.
After the master machine 1.2.3.4 receives the packet, change the destination address of the IP package to 192.168.0.2 and the destination port to 8180 according to the first rule in the nat table, at the same time, create an entry in the Connection Tracing table (which can be seen in the/proc/net/ip_conntrack file), and then send it to the routing module to check the route table, confirm that the IP package should be sent to the eth1 interface. before sending the IP packet to the eth1 interface, according to the second rule in the nat table, if the IP packet comes from the same subnet, the source address of the IP packet is changed to 192.168.0.1, update the corresponding entries in the connection trace table and send them to the eth1 interface.
In this case, there is an item in the connection tracking table:
Connection entry: src = 6.7.8.9 dst = 1.2.3.4 sport = 1080 dport = 81
Connection return: src = 192.168.0.2 dst = 6.7.8.9 sport = 8180 dport = 1080
Use or not: use = 1
For an IP packet sent back from 192.168.0.2, the source port is 8180, the destination address is 6.7.8.9, And the destination port is 1080. After the TCP/IP stack of host 1.2.3.4 receives the IP packet, check whether the connection return column in The Connection Tracking table matches the same source and destination addresses and ports, change the source address of the IP package from 192.168.0.2 to 1.2.3.4 and the source port from 8180 to 81 Based on the record in the entry, and keep the destination port 1080 unchanged. in this way, the server's return packet can correctly return the client initiating the connection, and the communication starts like this.
Also, in the filter table, port 8180 of 192.168.0.2 address should be allowed to be connected from eth0:
Iptables-a input-d 192.168.0.2-p tcp-m tcp -- dport 8180-I eth0-j ACCEPT
Through the above example, we know that iptables port ing settings are not difficult!
For more iptables tutorials, see the following:
Disable the default firewall in CentOS 7.0 and enable the iptables firewall.
Iptables examples
Linux Firewall iptables
Basic use of iptables backup, recovery, and firewall scripts
Detailed description of firewall iptables usage rules in Linux
Iptables firewall settings in Linux
This article permanently updates the link address: