iptables 是与最新的 2.6.x 版本linux 内核集成的 IP 信息包过滤系统。
iptables 端口转发
1、shell/ target=_blank class=infotextkey>shell脚本
复制代码 代码示例:
#filename gw.sh
PATH=$PATH:/usr/sbin:/sbin
echo "1" >/proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
iptables -F INPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -P FORWARD DROP
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i
eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 80 -j DNAT --to 10.0.0.2:80
iptables -A FORWARD -p tcp -d 192.168.1.201 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT
然后在外部访问,没问题。
修改bash shell脚本:
复制代码 代码示例:
#filename gw.sh
PATH=$PATH:/usr/sbin:/sbin
echo "1" >/proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
iptables -F INPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -P FORWARD DROP
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 8000 -j DNAT --to 10.0.0.2:80
iptables -A FORWARD -p tcp -d 192.168.1.201 --dport 8000 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT
shell脚本代码:
复制代码 代码示例:
#!/bin/sh
PATH=$PATH:/usr/sbin:/sbin
echo "1" >/proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
iptables -F INPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING DROP
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 81 -j DNAT --to 10.0.0.2:80
iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 21 -j DNAT --to 10.0.0.2:21
iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 21 -j ACCEPT
iptables端口转发规则,查看:
复制代码 代码示例:
[root@redhat unixboy]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 10.0.0.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 10.0.0.2 tcp dpt:http
ACCEPT tcp -- anywhere 10.0.0.2 tcp dpt:ftp
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@redhat unixboy]# /sbin/iptables -L -t nat
Chain PREROUTING (policy DROP)
target prot opt source destination
DNAT tcp -- anywhere 192.168.1.201 tcp dpt:81 to:10.0.0.2:80
DNAT tcp -- anywhere 192.168.1.201 tcp dpt:ftp to:10.0.0.2:21
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.0.0.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
iptables 端口转发的问题,成功解决。
