The process of implementing port forwarding on Linux system iptables

Read a lot about using iptables to implement the port forwarding article, but I do not feel that the problem is very clear, now engage my own settings and use of the experience, to talk about its implementation process.

We have a computer, there are two network cards, eth0 network, IP for 1.2.3.4;eth1 even intranet, IP for 192.168.0.1. It is now necessary to forward the IP packets destined for the 81 port of address 1.2.3.4 to the 8180 port of IP address 192.168.0.2, The settings are as follows:

1. Iptables-t nat-a prerouting-d 1.2.3.4-p tcp-m tcp--dport 81-j dnat--to-destination192.168.0.2:8180

2. Iptables-t nat-a postrouting-s 192.168.0.0/255.255.0.0-d 192.168.0.2-p tcp-m tcp--dport 8180-j SNAT 192.168.0.1

The real transfer process is as follows:

Assuming that the IP address of a client is 6.7.8.9, it uses the local 1080 port to connect the 1.2.3.4 81 port, the IP packet source address is 6.7, 8.9, the source port is 1080, the destination is 1.2.3.4, and the destination port is 81.

When the host 1.2.3.4 receives this package, the IP packet's destination address should be more than 192.168 0.2, and the destination port should be 8180, based on the first rule of the NAT table, and an entry is created in the Connection tracking table (available from the/PROC/NET/IP_ Conntrack file), it is then sent to the routing module, by Challo the table, to determine that the IP packet should be sent to the Eth1 interface. Before sending the IP packet to the Eth1 interface, according to the second rule of the NAT table, if the IP packet comes from the same subnet, the IP packet's source address should be more 192.168.0.1, updates the corresponding entry in the Connection tracking table and sends it to the Eth1 interface.

There is one entry in the Connection tracking table:

Connecting into: src=6.7.8.9 dst=1.2.3.4 sport=1080 dport=81

Connection return: src=192.168.0.2 dst=6.7.8.9 sport=8180 dport=1080

Whether to use: use=1

And the IP packets sent back from 192.168.0.2, the source port is 8180, the destination address is 6.7 8.9, the destination port is 1080, and the TCP/IP stack of the host 1.2.3.4 receives it. The connection from the core Lookup connection tracking table returns whether there is a match for the same source and destination address and port in the column, and when found, the IP packet's source address is 1.2.3.4 from 192.168.0.2, and the source port from 8180 should be 81, Keep the destination port number 1080 unchanged. This allows the server's return package to correctly return the client initiating the connection, and the communication begins.

Also, in the filter table, you should allow 8180 ports from the eth0 to connect 192.168.0.2 addresses:

Iptables-a input-d 192.168.0.2-p tcp-m tcp--dport 8180-i eth0-j ACCEPT