Two classical applications of iptables in the network

One. Port forwarding:

Before detailing the port forwarding, let's talk about one of the things I've been up to recently. I was doing testing, a factory took a server software called me to test. Based on the Win2K, the port number is 881, the server directly connected to the external network, the client access through the service IP, and they do not have linux-based server software, according to their meaning must be replaced by Windows Server. As a Linux enthusiast, I think we understand the pain. I turned over the data, found that iptables port forwarding function can be resolved, toss the afternoon, and finally complete the task. Here's My method: thinking: Use port forwarding, when the server receives the 881 port request, it is transferred to 10.10.2.200:881, 10.10.2.200 again return the data to the request connection

Eth0: Connect ADSL, namely Ppp0 interface

ETH1: Connect the internal network, IP for 10.10.1.1

10.10.2.200 is a Win2K server, and its port 881 provides network services.

Iptbles script:

Iptables-t nat-a prerouting-p tcp-m tcp--dport 881-j Dnat,--to-destination, sending 881 requests to the 10.10.2.200:881 port

Iptables-t nat-a postrouting-s 10.10.0.0/16-d 10.10.2.200-p tcp-m tcp--dport 881-j SNAT--to-source; return A . B.B.D when the data source comes from the same subnet, changes its source address to 10.10.1.1, emits from eth0, and detects a.b.c.d from Ppp0 in the connection tracking table and emits this data from ppp0.

Of course, don't forget to add a statement that allows access to port 881. Iptables–a input–p tcp–dport 881–i ppp0–j ACCEPT

Can not put the server in the local area, with the port forwarding to achieve it? The answer is certainly, since the 881-port forwarding, then 21,80 these ports are not, and many server software can customize the port, it is playing, as long as there is a suitable port, even to the local area network for each user to open an FTP server is also possible. Whatever service you want to implement can be, of course, based on port forwarding.

Local Area network 10.10.2.101 is Win2K, provide WWW service, port is 800

Accessed through the server http://serverip:800.

Iptables-t nat-a prerouting-p tcp-m tcp--dport 800-j dnat--to-destination 10.10.2.101:800

Iptables-t nat-a postrouting-s 10.10.0.0/16-d 10.10.2.101-p tcp-m tcp--dport 800-j SNAT--to-source

Iptables–a input–p tcp–dport 800–i ppp0–j ACCEPT

Because it is based on port forwarding implementation, so the server only need to install a iptables to forward the data on the line, all services by the internal server to complete, so that my Linux server is really a firewall.