PACKET IN
|
PREROUTING--[routing]-->--FORWARD-->--POSTROUTING-->--OUT
- nat (dst) | - filter - nat (src)
| |
| |
INPUT OUTPUT
- filter - nat (dst)
| - filter
| |
`----->-----[app]----->------'
The filter table has three built-in chains:
Forward chain: Filters packets destined for networks protected by the firewall.
Input chain: Filters packets destined for the firewall.
Output chain: Filters packets originating from the firewall.
The nat table has the following built-in chains:
Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.
Post-routing chain: NATs packets when the source address of the packet needs to be changed.
Output chain: NATs packets originating from the firewall.
1. One to One port mapping
$ iptables -t nat -A PREROUTING -i eth1 -p udp --dport 1000 -j DNAT --to 192.168.1.10
$ iptables -t filter -A FORWARD -i eth1 -p udp -d 192.168.1.10 --dport 1000 -j ACCEPT
1000 -> 1000
$ iptables -t nat -A PREROUTING -i eth1 -p udp --dport 1000 -j DNAT --to 192.168.1.10:3000
$ iptables -t filter -A FORWARD -i eth1 -p udp -d 192.168.1.10 --dport 3000 -j ACCEPT
1000 -> 3000
2. Many to One port range mapping
$ iptables -t nat -A PREROUTING -i eth1 -p udp --dport 1000:2000 -j DNAT --to 192.168.1.10:3000
$ iptables -t filter -A FORWARD -i eth1 -p udp -d 192.168.1.10 --dport 3000 -j ACCEPT
1000 -> 3000
1001 -> 3000
...
1999 -> 3000
2000 -> 3000
3. One to One port range mapping
$ iptables -t nat -A PREROUTING -i eth1 -p udp --dport 1000:2000 -j DNAT --to 192.168.1.10
$ iptables -t filter -A FORWARD -i eth1 -p udp -d 192.168.1.10 --dport 1000:2000 -j ACCEPT
1000 -> 1000
1001 -> 1001
...
1999 -> 1999
2000 -> 2000
4. One to One port shift mapping
$ iptables -t nat -A PREROUTING -i eth1 -p udp --dport 1000:2000 -j DNAT --to 192.168.1.10:3000-4000
$ iptables -t filter -A FORWARD -i eth1 -p udp -d 192.168.1.10 --dport 3000:4000 -j ACCEPT
1000 -> 3000
1001 -> 3000
...
1999 -> 3000
2000 -> 3000
沒有留言:
張貼留言