iptables 端口转发(1)

iptables 端口转发(1)

iptables是一款好用的系统工具，本文讲下iptables 端口转发。

我首先运行以下script

#filename gw.sh

PATH=$PATH:/usr/sbin:/sbin

echo "1" >/proc/sys/net/ipv4/ip_forward

modprobe ip_tables

modprobe ip_nat_ftp

modprobe ip_conntrack_ftp

iptables -F INPUT

iptables -F FORWARD

iptables -F POSTROUTING -t nat

iptables -F PREROUTING -t nat

iptables -P FORWARD DROP

iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT

iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 80 -j DNAT --to 10.0.0.2:80

iptables -A FORWARD -p tcp -d 192.168.1.201 --dport 80 -j ACCEPT

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT

然后在外部访问，没问题。

然后我改了一下这个script:

#filename gw.sh

PATH=$PATH:/usr/sbin:/sbin

echo "1" >/proc/sys/net/ipv4/ip_forward

modprobe ip_tables

modprobe ip_nat_ftp

modprobe ip_conntrack_ftp

iptables -F INPUT

iptables -F FORWARD

iptables -F POSTROUTING -t nat

iptables -F PREROUTING -t nat

iptables -P FORWARD DROP

iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT

iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 8000 -j DNAT --to 10.0.0.2:80

iptables -A FORWARD -p tcp -d 192.168.1.201 --dport 8000 -j ACCEPT

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT

#!/bin/sh

PATH=$PATH:/usr/sbin:/sbin

echo "1" >/proc/sys/net/ipv4/ip_forward

modprobe ip_tables

modprobe ip_nat_ftp

modprobe ip_conntrack_ftp

iptables -F INPUT

iptables -F FORWARD

iptables -F POSTROUTING -t nat

iptables -F PREROUTING -t nat

iptables -P FORWARD DROP

iptables -t nat -P PREROUTING DROP

iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT

iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 81 -j DNAT --to 10.0.

0.2:80

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 21 -j DNAT --to 10.0.

0.2:21

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 21 -j ACCEPT