iptables 端口转发
Port forwarding is simple to do with iptables in a Linux box which may probably already being used as the firewall or part of the gateway operation. In Linux kernels, port forwarding is achieved by packet filter rules in iptables.
使用Linux盒中的iptables进行端口转发很简单,它可能已经被用作防火墙或网关操作的一部分。 在Linux内核中,端口转发是通过iptables中的数据包过滤器规则实现的。
转发端口 (Port forwarding)
Port forwarding also called “port mapping” commonly refers to the network address translator gateway changing the destination address and/or port of the packet to reach a host within a masqueraded, typically private, network.
端口转发也称为“端口映射”,通常是指网络地址转换器网关更改数据包的目标地址和/或端口,以到达伪装的(通常是专用的)网络中的主机。
Port forwarding can be used to allow remote computers (e.g., public machines on the Internet) to connect to a specific computer within a private network such as local area network (LAN), sothat xternal hosts can communicate with services provided by hosts within a LAN. For example, running a public HTTP server (port 80) on a host within a private LAN, or permitting secure shell ssh (port 22) access to hosts within the private LAN from the Internet.
端口转发可用于允许远程计算机(例如Internet上的公共计算机)连接到诸如局域网(LAN)之类的专用网络内的特定计算机,以便外部主机可以与LAN内主机提供的服务进行通信。 例如,在专用LAN内的主机上运行公用HTTP服务器(端口80),或允许安全外壳SSH (端口22)从Internet访问专用LAN内的主机。
In Unix/Linux box where port numbers below 1024 can only be listened by software running as root, port forwarding is also used to redirect incoming traffic from a low numbered port to software listening on a higher port. This software can be running as a normal user, which avoids the security risk caused by running as the root user.
在Unix / Linux框中,低于1024的端口号只能由以root用户身份运行的软件侦听,端口转发还用于将传入流量从低编号的端口重定向到侦听较高端口的软件。 该软件可以以普通用户身份运行,从而避免了以root用户身份运行所带来的安全风险。
iptables (iptables)
iptables is a generic table structure for the definition of rulesets for network filtering framework by netfilter in Linux kernel.
iptables是通用表结构,用于通过Linux内核中的netfilter定义网络过滤框架的规则集。
In Linux box, iptables is implemented in Linux kernel as some kernel modules. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target). Users can build very powerfull firewall based on iptables which handles packets based on the type of packet activity and enqueues the packet in one of its builtin ‘tables’.
在Linux框中,iptables在Linux内核中作为某些内核模块实现。 IP表中的每个规则都由多个分类器(iptables匹配项)和一个连接的动作(iptables目标)组成。 用户可以基于iptables构建功能非常强大的防火墙,该防火墙根据数据包活动的类型处理数据包,并将数据包放入其内置的“表”之一中。
There are three important tables: mangle, filter and nat. The mangle table is responsible for the alteration of service bits in the TCP header. The filter queue is responsible for packet filtering. The nat table performs Network Address Translation (NAT). Each tables may have some built-in chains in which firewall policy rules can be placed.
有三个重要的表:mangle,filter和nat。 mangle表负责更改TCP头中的服务位。 过滤器队列负责数据包过滤。 nat表执行网络地址转换(NAT)。 每个表可能都有一些内置链 ,可以在其中放置防火墙策略规则 。
The filter table has three built-in chains:
过滤器表具有三个内置链:
- Forward chain: Filters packets destined for networks protected by the firewall. 转发链:过滤发往受防火墙保护的网络的数据包。
- Input chain: Filters packets destined for the firewall. 输入链:过滤发往防火墙的数据包。
- Output chain: Filters packets originating from the firewall. 输出链:过滤来自防火墙的数据包。
The nat table has the following built-in chains:
nat表具有以下内置链:
- Pre-routing chain: NATs packets when the destination address of the packet needs to be changed. 预路由链:当数据包的目标地址需要更改时,会对数据包进行NAT转换。
- Post-routing chain: NATs packets when the source address of the packet needs to be changed. 路由后链:当数据包的源地址需要更改时,对数据包进行NAT转换。
- Output chain: NATs packets originating from the firewall. 输出链:来自防火墙的NAT数据包。
Below is a brief view of how packets are processed by the chains:
以下是链如何处理数据包的简要视图:
PACKET IN
|
PREROUTING--[routing]-->--FORWARD-->--POSTROUTING-->--OUT
- nat (dst) | - filter - nat (src)
| |
| |
INPUT OUTPUT
- filter - nat (dst)
| - filter
| |
`----->-----[app]----->------'Note: if the packet is from the firewall, it will not go through the PREROUTING chain.
注意:如果数据包来自防火墙,它将不会通过PREROUTING链。
We only look into the packets that requires port forwarding which is the topic of this post.
我们只研究需要端口转发的数据包,这是本文的主题。
The packet entering the firewall is inspected by the rules in the nat table’s PREROUTING chain to see whether it requires destination modification (DNAT). The packet is then routed by Linux router after leaving the PREROUTING chain. The packet which is destined for a “protected” network is filtered by the rules in the FORWARD chain of the filter table. The it will go through the packet undergoes SNAT in the POSTROUTING chain before arriving at the “protected” network. When the destination server decides to reply, the packet undergoes the same sequence of steps.
nat表的PREROUTING链中的规则检查进入防火墙的数据包,以查看其是否需要目标修改(DNAT)。 然后,数据包在离开PREROUTING链后由Linux路由器路由。 发往“受保护”网络的数据包由过滤器表的FORWARD链中的规则过滤。 在到达“受保护”网络之前,它将经过在POSTROUTING链中经过SNAT的数据包。 当目标服务器决定答复时,数据包将经历相同的步骤序列。
使用iptables进行端口转发 (Port forwarding using iptables)
This section assumes you have already set up the the Linux host as the gateway and configured the POSTROUTING rules as shown in Setting Up Gateway Using iptables and route on Linux for SNAT.
本节假定您已经将Linux主机设置为网关,并配置了POSTROUTING规则 ,如使用iptables设置网关并在Linux上为SNAT 路由中所示。
A port-forwarded packet will pass the PREROUTING chain in nat table, FORWARD chain in filter table, POSTROUTING chain in nat table and other chains. We need to add rules to these chains.
端口转发的数据包将通过nat表中的PREROUTING链,filter表中的FORWARD链,nat表中的POSTROUTING链和其他链。 我们需要向这些链添加规则。
Let’s use a senario to introduce how to configure iptables to do port forwarding. Suppose our gateway can connect to both the Internet (0.0.0.0/0) and the LAN (192.168.1.0/24). The gateway’s eth0 interface has a public IP 7.8.9.10 while the eth1 has a LAN IP 192.168.1.1. Now, suppose that we have set up a HTTP server on 192.168.1.2:8080 and we want to provides service to the Internet through the public IP. We need to configure iptables to forward packets coming to port 80 of 7.8.9.10 to 8080 of 192.168.1.2 in LAN.
让我们使用senario来介绍如何配置iptables进行端口转发。 假设我们的网关可以连接到Internet(0.0.0.0/0)和LAN(192.168.1.0/24)。 网关的eth0接口具有公共IP 7.8.9.10,而eth1具有LAN IP 192.168.1.1。 现在,假设我们已经在192.168.1.2:8080上建立了一个HTTP服务器,并且我们想通过公共IP向Internet提供服务。 我们需要配置iptables以将到达7.8.9.10的端口80的数据包转发到LAN中的192.168.1.2的8080。
Below is the network topology:
以下是网络拓扑:
Internet---------[router/firewall]-------------LAN
0.0.0.0/0 7.8.9.10 192.168.1.1 192.168.1.0/24Normally we deny all incoming connections to a gateway machine by default because opening up all services and ports could be a security risk. We will only open the ports for the services that we will use. In this example, we will open port 80 for HTTP service.
通常,默认情况下,我们默认情况下会拒绝与网关计算机的所有传入连接,因为打开所有服务和端口可能会带来安全风险。 我们将仅打开将要使用的服务的端口。 在此示例中,我们将打开端口80进行HTTP服务。
First make sure that the IP forwarding is enabled on Linux following the “Enable Linux IP forwarding” Section in Setting Up Gateway Using iptables and route on Linux.
首先,按照在Linux 上使用iptables和route设置网关中的“启用Linux IP转发”部分,确保在Linux上启用IP转发。
This is the rules to forward connections on port 80 of the gateway to the internal machine:
这是将网关的端口80上的连接转发到内部计算机的规则:
# iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.2:8080
# iptables -A FORWARD -p tcp -d 192.168.1.2 --dport 8080 -j ACCEPTThese two rules are straight forward. The first one specifies that all incoming tcp connections to port 80 should be sent to port 8080 of the internal machine 192.168.1.2. This rule alone doesn’t complete the job as described above that we deny all incoming connections by default. Then we accept the incoming connection to port 80 from eth0 which connect to the Internet with the publich IP by the second rule. From the process path in the “iptables” part, the packet will also pass the FORWARD chains. We add the second rule in FORWARD chain to allow forwarding the packets to port 8080 of 192.168.1.2.
这两个规则很简单。 第一个指定将到端口80的所有传入tcp连接都发送到内部计算机192.168.1.2的端口8080。 仅凭此规则并不能完成上述工作,因为我们默认情况下拒绝所有传入连接。 然后,我们接受从eth0到端口80的传入连接,该连接通过第二条规则使用publich IP连接到Internet。 从“ iptables”部分中的处理路径开始,数据包还将通过FORWARD链。 我们在FORWARD链中添加第二条规则,以允许将数据包转发到192.168.1.2的端口8080。
By now, we have set up the the iptables rules for forwarding the 80 port. For other service, the method is similiar with the HTTP service.
至此,我们已经建立了iptables规则来转发80端口。 对于其他服务,该方法类似于HTTP服务。
conntrack条目 (The conntrack entries)
The “nf_conntrack_*” kernel modules enables iptables to examine the status of connections by caching the related information for these connections. A cat of /proc/net/nf_conntrack (in some old Linux kernels, the file is /proc/net/ip_conntrack) will give a list of all the current entries in the conntrack database.
内核模块“ nf_conntrack_ *”使iptables通过缓存这些连接的相关信息来检查连接状态。 猫/ proc / net / nf_conntrack (在某些旧的Linux内核中,文件为/ proc / net / ip_conntrack)将提供conntrack数据库中所有当前条目的列表。
A conntrack entry looks like this:
conntrack条目如下所示:
ipv4 2 tcp 6 431581 ESTABLISHED
src=7.8.9.20 dst=7.8.9.10 sport=53867 dport=80 packets=22 bytes=13861
src=192.168.1.2 dst=7.8.9.20 sport=8080 dport=53867 packets=14 bytes=3535
[ASSURED] mark=0 secmark=0 use=2This entry contains all the information that the conntrack module maintains to know the state of a specific connection. We can find the version of ip protocal version and the decimal coding, the protocol and the normal decimal coding. After this, we get how long this conntrack entry should live. Next is the actual state that this entry is in at this present point of time. Then, we get the source IP address, destination IP address, source port and destination port. After that, we get the IPs and ports of both source and destination we expect of return packets.
此项包含conntrack模块维护以了解特定连接状态的所有信息。 我们可以找到ip协议版本的版本和十进制编码,协议和常规十进制编码。 此后,我们将获得此conntrack条目应保留的时间。 接下来是该条目在当前时间点处于的实际状态。 然后,我们获得源IP地址,目标IP地址,源端口和目标端口。 之后,我们获得了返回数据包所期望的源和目标的IP和端口。
In this entry we can find that the arriving connection is:
在此条目中,我们可以找到到达的连接是:
7.8.9.20:53867 --> 7.8.9.10:80while the returning connection is:
而返回的连接是:
192.168.1.2:8080 --> 7.8.9.20:53867which reflects the port forwarding which we have set.
这反映了我们设置的端口转发。
翻译自: https://www.systutorials.com/port-forwarding-using-iptables/
iptables 端口转发
扫一扫
3471
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
