IPTable

IPTable

Tips

# 重置 iptables
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
# 重置
iptables -F; iptables -t nat -F; iptables -t mangle -F
# -C --check 检测是否存在
iptables -C FORWARD -i eth0 -j ACCEPT
# 以前的检测方式
iptables-save | grep -- "-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT"
# 查看状态
iptables -nvL
# 查看 nat 路由表
iptables -t nat -v -L -n --line-number
# 显示 PREROUTING 表
iptables -t nat -v -L PREROUTING -n --line-number
# 显示 POSTROUTING 表
iptables -t nat -v -L POSTROUTING -n --line-number
  • 五个 Hook 点
    • PREROUTING, INPUT, FORWARD, POSTROUTING, OUTPUT
  • 三个内建的表
    • filter, mangle, nat.
  • 內建目标
    • ACCEPT, DROP, QUEUE, RETURN

NAT 表

NIC +----> PREROUTING +-------------------> Local
+ ^
| |
| |
v +
NIC <----+ POSTROUTING <----+ OUTPUT <----+ Local

filter 表

mangle 表

Notes

FAQ

How to do the port forwarding from one ip to another ip in same network?

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.12.77:80
iptables -t nat -A POSTROUTING -p tcp -d 192.168.12.77 --dport 80 -j SNAT --to-source 192.168.12.87