| |
Iptables port mapping settings are as follows:
Let us have a computer, there are two network cards, eth0 even outside the network, ip is 1.2.3.4; eth1 connected to the network, ip is 192.168.0.1 now we need to be sent to address 1.2.3.4 port 81 ip packet forwarded to. ip address 192.168.0.2 port 8180 is set as follows:
1. iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp -m tcp --dport 81 -j DNAT --to-destination192.168.0.2: 8180
2. iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.0.0 -d 192.168.0.2 -p tcp -m tcp --dport 8180 -j SNAT --to-source 192.168.0.1
The actual transmission process is as follows:
Suppose a client ip address 6.7.8.9, which uses port 1080 to connect the machine 81 1.2.3.4 port, ip packet sent to the source address of 6.7.8.9, the source port is 1080, the destination address is 1.2.3.4, destination port 81.
1.2.3.4 After the host receives the packet, according to the first rule nat table, the destination address of the ip packets more as 192.168.0.2, the destination port is 8180 even more, while the connection tracking table to create an entry, (can be seen from / proc / net / ip_conntrack file), and then sent to the routing module, by checking the routing table to determine the ip packet should be sent to the eth1 interface. ip before sending the packet to the eth1 interface, based on the nat table the second rule, if the ip packets from the same subnet, then the ip packet's source address more that is 192.168.0.1, while updating the connection tracking table in the corresponding entry, and then sent to the eth1 interface issue.
Connection tracking table in this case one of:
Ligated into: src = 6.7.8.9 dst = 1.2.3.4 sport = 1080 dport = 81
Connection returns: src = 192.168.0.2 dst = 6.7.8.9 sport = 8180 dport = 1080
Whether to use: use = 1
Sent back from the 192.168.0.2 ip packet, the source port is 8180, the destination address is 6.7.8.9, destination port is 1080, host 1.2.3.4 of the TCP / IP stack receives the ip package, from the core to find connection tracking table the connection is returned if the column has the same source and destination addresses and ports match, Once found, according to an entry in the records of the source address of the ip packets from the 192.168.0.2 as more of the 1.2.3.4, the source port from the 8180 more 81, to maintain the same destination port number 1080. return package so that the server can return the correct client initiated the connection, communication and thus began.
Another point in the filter table should also be allowed to connect from eth0 8180 address 192.168.0.2 port:
iptables -A INPUT -d 192.168.0.2 -p tcp -m tcp --dport 8180 -i eth0 -j ACCEPT
Through the above example, we know iptables port mapping settings is not difficult! |
|
|
|