Shulou(Shulou.com)06/02 Report--

This article mainly introduces the example of setting iptables--nat table rules of software firewall under linux, which is very detailed and has certain reference value. Friends who are interested must read it!

Iptables uses the nat table occasionally in addition to the most commonly used filter table. Nat is network address translation, which is used to modify the source ip address or destination ip address. Now let's take a look at the flow of simple packets through the iptables to the back-end host table and chain.

1. PREROUTING chain that passes through the NAT table

two。 It is routed to determine whether the packet is going to enter the machine, and if not, the next step is performed.

3. FORWARD chain that passes through Filter

4. It passes through the POSTROUTING chain of the NAT table and finally sends it out.

Related to NAT are the first and last steps, namely the PREROUTING chain and the POSTROUTING chain.

The PREROUTING chain modifies the destination IP, or DNAT for short

The POSTROUTING chain modifies the source IP, or SNAT for short

DNAT

So which scenarios need to use DNAT, and what are the common applications for SNAT? For DNAT, the most common thing is to map the port of the internal network to the external network so that other users can access it. In this way, the security of the intranet is greatly improved, because the external network cannot transmit data directly with the intranet.

Scenario: there is a host A (192.168.1.111) on the intranet and a host B (192.168.1.2) in the intranet with a public network ip (39.100.92.12), so how to allow users of the external network to access the website above A.

At this time, you need to do DNAT on host B to change the destination address from public network ip39.100.92.12 to private network address 192.168.1.111. Do the following:

# iptables-t nat-A PREROUTING-I eth0-p tcp-- dport 80\ >-j DNAT-- to-destination 192.168.1.111 PREROUTING 80

The PREROUTING chain can not only modify the ip, but also modify the port. For example, port 80 is mapped to port 8080, but the operation name is no longer DNAT, but REDIRECT.

# iptables-t nat-A PREROUTING-I eth0-p tcp-- dport 80\ >-j REDIRECT-- to-ports 8080

SNAT

For SNAT, our most common application is that the private network machine accesses the Internet through the proxy server, and the host in the private network does not have a public network IP, so after the host data packet in the private network passes through the proxy server, the proxy server needs to modify the source address of the packet to the public network ip of the proxy server.

Scenario: there is a CVM A (192.168.1.111) in the private network and a CVM B (192.168.1.2) in the private network with a public network ip (39.100.92.12), so you can connect to the public network for how to operate CVM A.

# iptables-t nat-A POSTROUTING-o eth0-s 192.168.1.0 to-source 24\ >-j SNAT-- to-source 39.100.92.12

The operation of DNAT and SNAT is not very complicated, mainly to understand the application scenarios of DNAT and SNAT, it is easy to get confused at the beginning of learning, I hope you can mainly understand the difference between them.

The above are all the contents of the example of setting the iptables--nat table rules of the software firewall under linux. Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.