转贴:IP tables设置port map

用iptables可以很方面地实现NAT,而且定制性很强,最近需要map几个机器,发现即使官方站点的资料也有一点不全,搞定之后,贴点心得给大家,好让兄弟们不走歪路。

偶介绍的是网关端口映射到其他机器的用途,关于本机端口转换,有现成的REDIRECT target,即-j 参数后加REDIRECT即可。

REDIRECT例子

iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-port 3128

先看一下iptables的处理线路

代码:

                                                             _____
Incoming                                     /                    \                         Outgoing
                   –>[Routing ]—>|FORWARD|      ——->
                         [Decision]          \   _____   /                     ^
                                   |                                                                 |
                                  v                                                                 ____
                              ___                                                           /                \
                          /               \                                                    |OUTPUT|
                           |INPUT|                                                       \ ____ /
                           \  ___  /                                                               ^
                                  |                                                                        |
                                                 —-> Local Process —-

代码:

       _____                                                                             _____
/                          \                                                             /                            \
PREROUTING –>[Routing ]—————–>POSTROUTING—–>
\     D-NAT       /        [Decision]                                 \        S-NAT     /
                                                |                                                          ^
                                                |                                                     __|__
                                                |                                                  /                \
                                                |                                                 | OUTPUT|
                                                |                                                  \ D-NAT /
                                                |                                                           ^
                                                |                                                            |
                                                    ——–> Local Process ——

可以看到一个封包进来后,如果没有做任何改动,则根据目的地址的不同,而分发到forward链(网内其他机器)或input链处理(本机)。port map的原理就是实现DNAT
(Destination NAT),修改封包的目的地址,把发往网关外网IP修改为内网的某个IP。

DNAT在nat表的PREROUTING链中实现,例子如下:

iptables -t nat -I PREROUTING -p tcp -m tcp -i ppp0 –dport 3344 -j DNAT –to 192.168.0.111:22

把网关处的3344端口映射到192.168.0.111处的22端口

经过这样处理后,这个封包会继续进入forward链,所以,你要保证你的forward链有相应的通过规则,或者是原则开放的。

原则开放forward链

iptables -P FORWARD ACCEPT

也可以建立相应规则,而封锁forward原则。

iptables -P FORWARD ACCEPT
iptables -A FORWARD 192.168.1.0/24 -j ACCEPT

官方站点的资料到这里就完了,你会发现根本不能实现port map,链接在syn sent后,就time out了。其实是没有做相应的SNAT的关系,虽然封包能被转发到内网,而反馈的目的地是外网的IP,而不是先发往网关处,由网关转发,内网的机器无法发回反馈,导致失败。

NAT即Source NAT

继续添加如下规则

iptables -t nat -A POSTROUTING -d 192.168.0.111 -s 0.0.0.0/0 -p tcp -m tcp –dport 80 -j SNAT –to 192.168.0.5

SNAT在nat表的postrouting链中进行,上面的把从网关处发往192.168.0.111 22端口发来的包来源地修改为网关的内网IP。

这样修改后,内网的机器的反馈就会发回给网关,而网关自己会转发给请求的机器。再次确定,你已经打开的forward功能,并且forward是开放的或者有相应的规则让转发包通过。

打开系统forward功能

echo 1>/proc/sys/net/ip_forward

forward链的精确规则

iptables -I FORWARD -p tcp -m tcp -d 192.168.0.111 –dport 22 -j ACCEPT

自此一个端口转发完毕,其他的依次类推即可。

此条目发表在Uncategorized分类目录。将固定链接加入收藏夹。

Leave a Reply

Your email address will not be published. Required fields are marked *