工作中用到iptables,PREROUTING和POSTROUTING,寫個簡單例子,為以後作參考
[root@ www.linuxidc.com ~]# cat /tmp/ipt_tmp.sh
# Generated by iptables-save v1.3.5 on Mon Jul 9 08:17:39 2012
*filter
:INPUT ACCEPT [39519334:1858761689]
:FORWARD ACCEPT [63755316:66709123839]
:OUTPUT ACCEPT [62427552:90909713429]
-A INPUT -s 192.168.0.11 -p tcp -m state --state NEW -m tcp --dport 80 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j DROP
COMMIT
# Completed on Mon Jul 9 08:17:39 2012
# Generated by iptables-save v1.3.5 on Mon Jul 9 08:17:39 2012
*nat
:PREROUTING ACCEPT [2748118:215319370]
:POSTROUTING ACCEPT [28696:3128078]
:OUTPUT ACCEPT [28696:3128078]
-A PREROUTING -s 192.168.8.0/255.255.255.0 -d 192.168.0.1 -i eth0 -j DNAT --to-destination 192.168.50.81
-A POSTROUTING -s 192.168.50.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 9 08:17:39 2012
[root@ www.linuxidc.com ~]# iptables -nvL
Chain INPUT (policy ACCEPT 78 packets, 5512 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 192.168.0.11 0.0.0.0/0 state NEW tcp dpt:80
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 53 packets, 5992 bytes)
pkts bytes target prot opt in out source destination
[root@ www.linuxidc.com ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- eth0 * 192.168.8.0/24 192.168.0.1 to:192.168.50.81
Chain POSTROUTING (policy ACCEPT 4 packets, 312 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 192.168.50.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 4 packets, 312 bytes)
pkts bytes target prot opt in out source destination
[root@ www.linuxidc.com ~]# iptables -R INPUT -s 192.168.0.11 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables v1.4.7: -R requires a rule number
Try `iptables -h' or 'iptables --help' for more information.
[root@ www.linuxidc.com ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 219 packets, 15871 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 192.168.0.11 0.0.0.0/0 state NEW tcp dpt:80
2 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 196 packets, 16152 bytes)
num pkts bytes target prot opt in out source destination
[root@ www.linuxidc.com ~]# iptables -R INPUT 1 -s 192.168.0.11 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
[root@ www.linuxidc.com ~]# iptables -nvL
Chain INPUT (policy ACCEPT 10 packets, 660 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.0.11 0.0.0.0/0 state NEW tcp dpt:80
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 6 packets, 1080 bytes)
pkts bytes target prot opt in out source destination
[root@ www.linuxidc.com ~]# iptables -t nat-R INPUT 1 -s 192.168.255.11/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
Bad argument `INPUT'
Try `iptables -h' or 'iptables --help' for more information.
[root@ www.linuxidc.com ~]# iptables -t nat -R PREROUTING 1 -s 192.168.255.11/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
[root@ www.linuxidc.com ~]# iptables -t nat
iptables v1.4.7: no command specified
Try `iptables -h' or 'iptables --help' for more information.
[root@ www.linuxidc.com ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 192.168.255.11 0.0.0.0/0 state NEW tcp dpt:80
Chain POSTROUTING (policy ACCEPT 3 packets, 180 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * eth0 192.168.50.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3 packets, 180 bytes)
pkts bytes target prot opt in out source destination
[root@ www.linuxidc.com ~]# iptables-save > /tmp/ipt_tmp.sh
[root@ www.linuxidc.com ~]# cat /tmp/ipt_tmp.sh
# Generated by iptables-save v1.4.7 on Mon Jul 9 08:58:33 2012
*nat
:PREROUTING ACCEPT [1:242]
:POSTROUTING ACCEPT [34:2352]
:OUTPUT ACCEPT [34:2352]
-A PREROUTING -s 192.168.255.11/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 9 08:58:33 2012
# Generated by iptables-save v1.4.7 on Mon Jul 9 08:58:33 2012
*filter
:INPUT ACCEPT [796:59726]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [717:61256]
-A INPUT -s 192.168.0.11/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j DROP
COMMIT
# Completed on Mon Jul 9 08:58:33 2012
