I probably know one thing is to go out from the intranet when using postrouting come in with the prerouting, but do transparent agent when it is used prerouting. What is this for?
reply: SunnyggThe pre or post is determined based on the flow of the packet.
Usually intranet to the outside network is post, look outside the intranet is the pre, but outside or inside is only a relative concept, under certain conditions can be converted. Implementation to the network card, for each network card data inflow must pass through the pre, the amount of outflow must pass through post.
Transparent proxy principle is the intranet to the external Web page access request redirection, the intranet request back to the network proxy server, proxy services and gateways are one, if the use of post processing, then the data outflow, transparent proxy settings have failed, so must be in the data flow when the rules are rewritten, To respond to processing requests in a timely manner.
Reply:Postrouting is the source address translation, to convert your intranet address into a public address to allow you to surf the Internet.
Prerouting is the destination address conversion, to the other people's public network IP to your internal IP, so that access to your internal firewall protection of the machine.
Reply:
1, you must first understand what is "prerouting", What is "postrouting", we can simply use the following relationship to express:
Source Address send data--{prerouting--> routing Rule-->postrouting}--Destination address received data
When you use: Iptables-t nat-a prerouting-i eth1-d 1.2.3.4-j DNAT--to 192.168.1.40
When you access the 1.2.3.4,linux router in the "Routing rules" The destination address was previously changed to 192.168.1.40, and the Linux router (iptables) logs the connection at the same time, and sends the data to the requesting machine after the data is returned from 192.168.1.40 through the Linux router. So your "postrouting" rule doesn't work.
and "Postrouting" is the action after the "Routing rule".
2, you'd better have a detailed network topology, so I can better explain to you.
3, I can use a simple example to illustrate the different application environments of "prerouting" and "postrouting":
the application of 3.1 prerouting,
In general, prerouting is used in common NAT (that is, snat), such as: You use ADSL internet, This way your network has only one public IP address (for example: 61.129.66.5), but your local area network users also want to surf the Internet (LAN IP address: 192.168.1.0/24), then you can use Prerouting (SNAT) To convert the IP addresses of the users in the LAN to 61.129.66.5 so that they can also surf the Internet:
Iptables-t nat-a prerouting-s 192.168.1.0/24-j SNAT 61.129.66.5
the application of 3.2 postrouting,
Postrouting is used to place your server behind a firewall and is used as a protection server, for example:
A. Your server IP address is: 192.168.1.2;
B. Your firewall (Linux & iptables) address is 192.168.1.1 and 202.96.129.5
Users on the Internet can access 202.96.129.5 normally, but they cannot access 192.168.1.2, which can be set in the Linux firewall:
Iptables-t nat-a postrouting-d 202.96.129.5-j DNAT 192.168.1.2
Knot: The most important thing is to remember that prerouting is a "routing rule" before the action, postrouting is "routing rules" after the action! This article: summary, collation from the Internet
The difference between Linux prerouting and postrouting
