|
《LINUX教程:Linux iptables 端口转发》要点:
本文介绍了LINUX教程:Linux iptables 端口转发,希望对您有用。如果有疑问,可以联系我们。
准备:
1,UDP端口范围映射
2,tcp 端口范围映射
3,本机端口转发
4,单个端口转发
准备:
打开转发
[root@CentOS ~]# cat /etc/sysctl.conf? | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1?
?
清空规则,修改默认策略,重要数据请备份
[root@CentOS ~]# iptables -F -t nat
[root@CentOS ~]# iptables -X -t nat
[root@CentOS ~]# iptables -P INPUT DROP
[root@CentOS ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target? ? prot opt source? ? ? ? ? ? ? destination? ? ? ? ?
?
Chain POSTROUTING (policy ACCEPT)
target? ? prot opt source? ? ? ? ? ? ? destination? ? ? ? ?
?
Chain OUTPUT (policy ACCEPT)
target? ? prot opt source? ? ? ? ? ? ? destination? ? ? ? ?
[root@CentOS ~]#?
?
删除reject
[root@CentOS ~]# vim /etc/sysconfig/iptables
[root@CentOS ~]# service iptables restart
1,UDP端口范围映射
一一匹配:
[root@CentOS ~]# iptables -t nat -A PREROUTING -p udp --dport 5000:6000 -j DNAT --to 192.168.66.2:5000-6000?
?
【注意】这样写,将导致不可预测的端口转发匹配:
[root@CentOS ~]# iptables -t nat -A PREROUTING -p udp --dport 5000:5010 -j DNAT --to 192.168.66.2:6000-6010
【nat内机器:192.168.66.2】端口转发匹配验证,输出源端口是9999
[root@CentOS ~]# tcpdump -i eth0 -tnn? port 9999
tcpdump: verbose output suppressed,use -v or -vv for full protocol decode
listening on eth0,link-type EN10MB (Ethernet),capture size 65535 bytes
IP 172.16.20.245.9999 > 192.168.66.2.5500: UDP,length 1
IP 172.16.20.245.9999 > 192.168.66.2.5500: UDP,length 1
IP 172.16.20.245.9999 > 192.168.66.2.5501: UDP,length 1?
【nat外机器:172.16.20.245】发送给nat机器,发出的数据包源端口是9999,目的端口是5500-5555
sudo nc -v -u -p 9999 172.16.20.183 5500-5555
端口转发双向通信验证:
?
nat里面的机器打开监听:
[root@CentOS ~]# nc -l -u 5555
nat外面的机器向nat 发送数据
nc -u 172.16.20.183 5555
?
互发数据,双方是可以收到的.
?
可以发现:端口映射完全匹配,双通互发数据成功!
2,tcp 端口范围映射
tcp 端口范围映射:
[root@CentOS ~]# iptables -t nat -A PREROUTING -p tcp --dport 2000:2500 -j DNAT --to 192.168.66.2:2000-2500?
?
验证:
接收端:【nat内机器:192.168.66.2】
[root@CentOS ~]# tcpdump -i eth0 -tnn? portrange 2000-2500
tcpdump: verbose output suppressed,capture size 65535 bytes
IP 172.16.20.245.37446 > 192.168.66.2.2000: Flags [S],seq 1083771445,win 29200,options [mss 1460,sackOK,TS val 3864340 ecr 0,nop,wscale 7],length 0
IP 192.168.66.2.2000 > 172.16.20.245.37446: Flags [R.],seq 0,ack 1083771446,win 0,length 0
IP 172.16.20.245.47912 > 192.168.66.2.2001: Flags [S],seq 629593170,TS val 3864344 ecr 0,length 0
IP 192.168.66.2.2001 > 172.16.20.245.47912: Flags [R.],ack 629593171,length 0
IP 172.16.20.245.34816 > 192.168.66.2.2002: Flags [S],seq 680276410,TS val 3864345 ecr 0,length 0
IP 192.168.66.2.2002 > 172.16.20.245.34816: Flags [R.],ack 680276411,length 0
IP 172.16.20.245.37508 > 192.168.66.2.2003: Flags [S],seq 1070666075,length 0
IP 192.168.66.2.2003 > 172.16.20.245.37508: Flags [R.],ack 1070666076,length 0
?
?
发送端:【nat外机器:172.16.20.245】发送给nat机器:
sudo nc -z -w1 -v? 172.16.20.183 2000-2500
nc: connect to 172.16.20.183 port 2000 (tcp) failed: Connection refused
nc: connect to 172.16.20.183 port 2001 (tcp) failed: Connection refused
nc: connect to 172.16.20.183 port 2002 (tcp) failed: Connection refused
nc: connect to 172.16.20.183 port 2003 (tcp) failed: Connection refused
nc: connect to 172.16.20.183 port 2004 (tcp) failed: Connection refused
nc: connect to 172.16.20.183 port 2005 (tcp) failed: Connection refused
nc: connect to 172.16.20.183 port 2006 (tcp) failed: Connection refused
nc: connect to 172.16.20.183 port 2007 (tcp) failed: Connection refused
?
?
可以看见,虽然连接失败,但是发送的seq和ack回应包都有了,就差握手成功了.
3,本机端口转发
[root@CentOS ~]# iptables -t nat -A PREROUTING -p tcp --dport 1234 -j REDIRECT --to-ports 2345
[root@CentOS ~]# nc -l -k 2345? #开启监听
?
1,
局域网其他主机直接来拜访本机2345端口:看看tcpdump输出
linuxidc@Ubuntu~$ nc 172.16.20.183 2345 #远程机拜访本机172.16.20.183 2345
?
本机tcpdump输出
[root@CentOS ~]# tcpdump -i eth0 host 172.16.20.245 -tnn
IP 172.16.20.245.44706 > 172.16.20.183.2345: Flags [S],seq 33366406,TS val 4001328 ecr 0,length 0
IP 172.16.20.183.2345 > 172.16.20.245.44706: Flags [R.],ack 33366407,length 0?
?
2,局域网其他主机直接来拜访本机1234端口:看看tcpdump输出
linuxidc@ubuntu~$ nc 172.16.20.183 1234 #远程机拜访本机172.16.20.183 1234
?
tcpdump在本机看一下:
[root@CentOS ~]# tcpdump -i eth0 host 172.16.20.245 -tnn
IP 172.16.20.245.47332 > 172.16.20.183.1234: Flags [S],seq 3622624416,TS val 4047126 ecr 0,length 0
IP 172.16.20.183.1234 > 172.16.20.245.47332: Flags [S.],seq 123535638,ack 3622624417,win 14480,TS val 12018501 ecr 4047126,wscale 6],length 0
IP 172.16.20.245.47332 > 172.16.20.183.1234: Flags [.],ack 1,win 229,options [nop,TS val 4047126 ecr 12018501],length 0
IP 172.16.20.245.47332 > 172.16.20.183.1234: Flags [P.],seq 1:2,TS val 4047282 ecr 12018501],length 1
IP 172.16.20.183.1234 > 172.16.20.245.47332: Flags [.],ack 2,win 227,TS val 12019122 ecr 4047282],seq 2:3,TS val 4047325 ecr 12019122],ack 3,TS val 12019297 ecr 4047325],seq 3:4,TS val 4047353 ecr 12019297],length 1
?
可以看到三次握手成功!
4,单个端口转发
端口转发 tcp模式:将拜访本机1122端口数据包转发给192.168.66.2:5566
iptables -t nat -A PREROUTING -p tcp? --dport 1122 -j DNAT --to-destination 192.168.66.2:5566
?
端口转发 udp模式:将拜访本机2233端口数据包转发给192.168.66.2:4455
iptables -t nat -A PREROUTING -p udp? --dport 2233 -j DNAT --to-destination 192.168.66.2:4455 更多LINUX教程,尽在编程之家PHP学院专栏。欢迎交流《LINUX教程:Linux iptables 端口转发》! (编辑:李大同)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|
