LINUX IPTABLES port mapping set

Recommended for you: Get network issues from WhatsUp Gold. Not end users.

LINUX IPTABLES port mapping set


Iptables port mapping is set as follows:

We have a computer, there are two pieces of card, eth0 network, IP; eth1 even intranet, IP now needs to be sent to the address 81 port IP packets are forwarded to the 8180 port IP address, and set the following:


1. iptables -t nat -A PREROUTING -d -p tcp -m tcp –dport 81 -j DNAT –to-destination192.168.0.2:8180


2. iptables -t nat -A POSTROUTING -s -d -p tcp -m tcp –dport 8180 -j SNAT –to-source


The transmission process of true as shown below:


Suppose a client IP address is, 1080 port it using the machine connected to the 81 port, a IP package for source address, source port to 1080, the destination address of, the destination port 81


Host1.2.3.4Receives this packet,According to thenatThe first rule table,TheipObjective to address packets should be192.168.0.2,Objective to port for the8180,At the same time in the connection tracking table to create an entry,(From the/proc/net/ip_conntrackFile, see),And then sent to the routing module,By checking the routing table,Determine theipThe package should be sent to theeth1Interface.In theeth1Interface to send theipBefore package,According to thenatThe second rule table,If theipThe bag is from the same subnet,TheipSource address packets should be192.168.0.1,At the same time to update the connection tracking the corresponding entry in the table,And then sent to theeth1Interface a.


The table has a connection tracking:


The link to the src= dst= sport=1080 dport=81


Returns: src= dst= sport=8180 dport=1080


Whether to use: use=1


And from the192.168.0.2BackipPackage,Source port8180,Objective to address6.7.8.9,Destination port1080,Host1.2.3.4TheTCP/IPStack receives theipAfter the bag,By the core search connection tracking table in the join returns section if there is a match the same source and destination address and port,Find,According to the entry in the recordipSource address packets by192.168.0.2The more the1.2.3.4, The source port by8180The more the81,Keep the destination port number1080Unchanged.These servers return packets can correct returns initiated client connection,Thus began the communication.


Also, in the filter table should also allow the 8180 port connected to the address from the eth0:


iptables -A INPUT -d -p tcp -m tcp –dport 8180 -i eth0 -j ACCEPT

In the example above, we know that iptables port mapping is not difficult!

The original

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Posted by Margaret at February 23, 2014 - 8:50 AM