Iptables
来自Jack's Lab
(版本间的差异)
(→Overview) |
(→Reference) |
||
(未显示1个用户的1个中间版本) | |||
第1行: | 第1行: | ||
== Overview == | == Overview == | ||
− | |||
− | |||
5 个 "hook points" ('''Chain'''): | 5 个 "hook points" ('''Chain'''): | ||
第190行: | 第188行: | ||
== Reference == | == Reference == | ||
+ | * https://linuxbg.eu/books/Linux%20Iptables%20Pocket%20Reference.pdf | ||
* https://www.cnblogs.com/foxgab/p/6896957.html | * https://www.cnblogs.com/foxgab/p/6896957.html | ||
* https://www.cnblogs.com/foxgab/p/6904627.html | * https://www.cnblogs.com/foxgab/p/6904627.html |
2022年10月10日 (一) 16:35的最后版本
目录 |
[编辑] 1 Overview
5 个 "hook points" (Chain):
- PREROUTING
- POSTROUTING
- FORWARD # that flow through a gateway computer, coming in one interface and going right back out another
- INPUT # just before they are delivered to a local process
- OUTPUT # just after they are generated by a local process
选择 chain:
If you want to filter outgoing packets, it is best to do so in the OUTPUT chain because the POSTROUTING chain is not associated with the filter table.
3 个内建 Tables:
- filter (不用 -t 指定 table,则默认使用此 table)
- mangle
- nat
Targets:
- -j 指定
- DNAT
- DNAT 模式用来做目的网络地址转换,比如把某个目的端口包都转发到内网的地址端口,可以做某种类型的负载平衡
- 一般挂在 PREROUTING chain of the nat table。
- Destination NAT (DNAT) exposes specific services on an internal network to the outside world without linking the internal computers directly to the Internet.
- SNAT (gateway computer has a static IP address)
- SNAT 模式用于源网络地址转换,就是重写包的源 IP 地址。比如内网多台机器通过一个网关上网,网关负责将内网 ip 重写为网关的公网 ip
- 一般挂在 POSTROUTING chain of the nat table。
- Source NAT (SNAT) is used to share a single Internet connection among computers on a network。
- MASQUERADE (gateway computer has a dynamic IP address)
- ACCEPT
- REDIRECT
- DROP
- QUEUE
- RETURN
[编辑] 2 开启 ip4 forward
Command line:
$ sysctl -w net.ipv4.ip_forward=1 # 查看 $ sysctl -p # or $ echo 1 > /proc/sys/net/ipv4/ip_forward
Configuration:
$ sudo vim /etc/sysctl.conf # Uncomment the next line to enable packet forwarding for IPv4 #net.ipv4.ip_forward=1
[编辑] 3 实例
网关端口映射到内网:
$ iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.87:8080
共享网关公网地址入网:
# static ip $ iptables -t nat -A POSTROUTING -o eth1 -j SNAT # dynamic IP $ iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
If you have an HTTP proxy (such as Squid) configured to run as a transparent proxy on your firewall computer and listen on port 8888, you can add one rule to redirect outbound HTTP traffic to the HTTP proxy:
$ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8888 # iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 6666
将测试网段的端口的包转发到本机端口,其他网段则正常访问原端口:
$ iptables -t nat -A PREROUTING -p tcp -s 192.168.10.0/24 --dport 1234 -j REDIRECT --to-ports 6666
端口转发,将源为 A 访问 B 的 1234 端口的包,转发到 C 的 6666 端口,其他的不管:
$ iptables -t nat -A PREROUTING -s 192.168.10.2 -p tcp --dport 1234 -j DNAT --to-destination 192.168.10.6:6666 $ iptables -t nat -A POSTROUTING --dst 192.168.10.2 -p tcp --dport 6666 -j MASQUERADE # 将目的端口 82 的包,全部转发到 xx.xx.xx.xx:83 $ iptables -t nat -I PREROUTING -p tcp --dport 82 -j DNAT --to-destination xx.xx.xx.xx:83 $ iptables -t nat -I POSTROUTING -d xx.xx.xx.xx -p tcp --dport 83 -j MASQUERADE # 目标为 xx.xx.xx.xx:83 的 tcp 包,自动获取当前网卡的 IP 地址进行源地址转换 $ iptables -t nat -I POSTROUTING -j MASQUERADE # 自动获取当前网卡的 IP 地址进行源地址转换
- -s [!] addr[/mask] <===> --src <===> --source
- -d [!] addr[/mask] <===> --dst <===> --destination
- DNAT 模式用来做目的网络地址转换,比如把某个目的端口包都转发到内网的地址端口,可以做某种类型的负载平衡。Destination NAT (DNAT) exposes specific services on an internal network to the outside world without linking the internal computers directly to the Internet.
- SNAT 模式用于源网络地址转换,就是重写包的源 IP 地址。一般挂在 POSTROUTING chain of the nat table。Source NAT (SNAT) is used to share a single Internet connection among computers on a network。
保存规则:
$ service iptables save
关闭端口转发:
$ service iptables stop
[编辑] 4 策略
显示:
$ iptables [-t table] -S [chain] $ iptables -t nat -S PREROUTING # 显示指定的 chain 中当前生效的策略,如果不指定 chain,那么显示 table 中所有的 chain,如果不指定 table,默认为 filter table $ iptables-save # 显示所有 iptables 中生效的策略 $ iptables [-t table] -L [-v] [-n] [--line-number ] # 按照表格形式显示当前生效策略的方法 $ iptables -t nat -L -n --line-number
- -L -n 等同于 -nL, --line 等同于 --line-number
- 使用 -v 参数可以显示额外的进出接口、包和流量统计信息。
- 使用 -n 参数表示用数字表示IP和端口号,默认会尝试查找 dns
- 使用 --line-number 参数显示策略行号,可以在插入、修改策略时用此参数查看 rule-num
- 可简写为: -nvL
追加:
$ iptables [-t table] -A chain rule-specification
插入:
$ iptables [-t table] -I chain [rule-num] rule-specification
删除:
$ iptables [-t table] -D rule-num $ iptables -t nat -D PREROUTING 2
修改:
$ iptables [-t table] -R chain rule-num rule-specification
设置默认:
$ ipables [-t table] -P target
在 filter table 中,target 可以是 DROP 或者 ACCEPT,其它 table 默认都是 ACCEPT,貌似无法修改(存疑)
[编辑] 5 Reference
- https://linuxbg.eu/books/Linux%20Iptables%20Pocket%20Reference.pdf
- https://www.cnblogs.com/foxgab/p/6896957.html
- https://www.cnblogs.com/foxgab/p/6904627.html
- https://blog.csdn.net/Criss_Leung/article/details/77988864