catalogue
2.3 matching by destination IP
2.4 press to enter network card device matching
2.5 match by output network card address
3.6.1 accessing the server from the local computer
3.6.2} take the current machine as the route to forward the network address
This article talks about match and target of iptables.
1 Experimental Environment
First explain the experimental environment.
192.168.0.0/24
Access machine( Centos) --------------------- iptables Set up the machine( node2)
192.168.0.211 192.168.0.2032 match ing conditions
This section is mainly to test the matching conditions. Therefore, LOG is used for the action target after matching. Later, when writing the matching conditions and verifying whether they are correct, LOG can also be used to test first. After the test is OK, use - R to replace with the desired target
Match by agreement 1.2
-p|--protocol [ALL|TCP|UDP|ICMP]
-p is the abbreviation of -- protocol.
ALL: represents ALL agreements
# Add rule - record all icmp protocols
root@node2:~# iptables -A INPUT -p icmp -j LOG
# View rules
root@node2:~# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 15 packets, 2158 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
# Ping node2 from CentOS
[root@centos ~]# ping 192.168.0.203
PING 192.168.0.203 (192.168.0.203) 56(84) bytes of data.
64 bytes from 192.168.0.203: icmp_seq=1 ttl=64 time=1.47 ms
64 bytes from 192.168.0.203: icmp_seq=2 ttl=64 time=1.10 ms
# Viewing the log content, you can see the access from 192.168.0.211
root@node2:~# journalctl -f
-- Logs begin at Wed 2021-12-08 09:47:03 UTC. --
Feb 01 11:42:51 node2 kernel: IN=ens33 OUT= MAC=00:0c:29:42:c3:52:00:0c:29:07:cf:68:08:00 SRC=192.168.0.211 DST=192.168.0.203 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=55662 DF PROTO=ICMP TYPE=8 CODE=0 ID=1337 SEQ=2
Feb 01 11:42:52 node2 kernel: IN=ens33 OUT= MAC=00:0c:29:42:c3:52:00:0c:29:07:cf:68:08:00 SRC=192.168.0.211 DST=192.168.0.203 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=56575 DF PROTO=ICMP TYPE=8 CODE=0 ID=1337 SEQ=3 When you ping yourself, it is not recorded in the log
root@node2:~# ping node2 PING node2(node2 (240f:73:1e6d:1:20c:29ff:fe42:c352)) 56 data bytes 64 bytes from node2 (240f:73:1e6d:1:20c:29ff:fe42:c352): icmp_seq=1 ttl=64 time=0.060 ms 64 bytes from node2 (240f:73:1e6d:1:20c:29ff:fe42:c352): icmp_seq=2 ttl=64 time=0.046 ms ^C --- node2 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1003ms rtt min/avg/max/mdev = 0.046/0.053/0.060/0.007 ms root@node2:~# journalctl -f
2.2 match by source IP
-s|--src|--source [ipaddress]
ipaddress: you can use a specific IP address or CIDR/VLSM format.
# Only access from 192.168.0.211 is recorded (it has nothing to do with the protocol)
root@node2:~# iptables -A INPUT -s 192.168.0.211 -j LOG
root@node2:~# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 9 packets, 1794 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 192.168.0.211 0.0.0.0/0 LOG flags 0 level 4
# ICMP
[root@centos ~]# ping 192.168.0.203
PING 192.168.0.203 (192.168.0.203) 56(84) bytes of data.
64 bytes from 192.168.0.203: icmp_seq=1 ttl=64 time=0.587 ms
root@node2:~# journalctl -f
-- Logs begin at Wed 2021-12-08 09:47:03 UTC. --
Feb 01 11:56:39 node2 kernel: IN=ens33 OUT= MAC=00:0c:29:42:c3:52:00:0c:29:07:cf:68:08:00 SRC=192.168.0.211 DST=192.168.0.203 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=12713 DF PROTO=ICMP TYPE=8 CODE=0 ID=1340 SEQ=1
# TCP
[root@centos ~]# nc -v -w 2 192.168.0.203 -z 22
Connection to 192.168.0.203 22 port [tcp/ssh] succeeded!
root@node2:~# journalctl -f
-- Logs begin at Wed 2021-12-08 09:47:03 UTC. --
Feb 01 11:59:45 node2 multipathd[753]: sda: failed to get sgio uid: No such file or directory
Feb 01 11:59:45 node2 kernel: IN=ens33 OUT= MAC=00:0c:29:42:c3:52:00:0c:29:07:cf:68:08:00 SRC=192.168.0.211 DST=192.168.0.203 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20099 DF PROTO=TCP SPT=57334 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
2.3 matching by destination IP
-d|--dst|--destination [ipaddress]
ipaddress: you can use a specific IP address or CIDR/VLSM format.
# Append a rule to the OUTPUT of the filter chain
# Log when the exit is 192.168.0.211
root@node2:~# iptables -A OUTPUT -d 192.168.0.211 -j LOG
root@node2:~# iptables -nvL
Chain INPUT (policy ACCEPT 11 packets, 1910 bytes)
pkts bytes target prot opt in out source destination
6 348 LOG all -- * * 192.168.0.211 0.0.0.0/0 LOG flags 0 level 4
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 7 packets, 748 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 192.168.0.211 LOG flags 0 level 4
[root@centos ~]# ping 192.168.0.203
PING 192.168.0.203 (192.168.0.203) 56(84) bytes of data.
64 bytes from 192.168.0.203: icmp_seq=1 ttl=64 time=0.262 ms
# You can see that there are two records, one is INPUT and the other is OUTPUT.
# It corresponds to the above two rules
root@node2:~# journalctl -f
-- Logs begin at Wed 2021-12-08 09:47:03 UTC. --
Feb 01 12:03:55 node2 kernel: IN=ens33 OUT= MAC=00:0c:29:42:c3:52:00:0c:29:07:cf:68:08:00 SRC=192.168.0.211 DST=192.168.0.203 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=62477 DF PROTO=ICMP TYPE=8 CODE=0 ID=1363 SEQ=1
Feb 01 12:03:55 node2 kernel: IN= OUT=ens33 SRC=192.168.0.203 DST=192.168.0.211 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=50252 PROTO=ICMP TYPE=0 CODE=0 ID=1363 SEQ=1
There are some things that don't need special explanation. For example, matching by source address must be filtered before entering the machine, and matching by destination address must be filtered after leaving the machine. The same is true for the following network card devices
2.4 press to enter network card device matching
-i|--in-interface [devicename]
You can use ifconfig to view the network card device name
# When the entry is the network card of the local loopback address, record the log
root@node2:~# iptables -A INPUT -i lo-j LOG
root@node2:~# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 13 packets, 812 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- lo * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
# ping the local loopback address
root@node2:~# ping localhost c 1
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.112 ms
root@node2:~# journalctl -f
-- Logs begin at Wed 2021-12-08 09:47:03 UTC. --
Feb 01 12:45:05 node2 kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=13506 DF PROTO=ICMP TYPE=8 CODE=0 ID=3 SEQ=1
Feb 01 12:45:05 node2 kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=13507 PROTO=ICMP TYPE=0 CODE=0 ID=3 SEQ=1
2.5 match by output network card address
-o|--out-interface [devicename]
You can use ifconfig to view the network card device name
# Log when the exit is the local loopback address network card
root@node2:~# iptables -A OUTPUT -o lo -j LOG
root@node2:~# iptables -nvL OUTPUT
Chain OUTPUT (policy ACCEPT 20 packets, 1592 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * lo 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
# ping the local loopback address
root@node2:~# ping localhost -c 1
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.142 ms
root@node2:~# journalctl -f
Feb 02 11:13:33 node2 kernel: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47683 DF PROTO=ICMP TYPE=8 CODE=0 ID=4 SEQ=1
Feb 02 11:13:33 node2 kernel: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=47684 PROTO=ICMP TYPE=0 CODE=0 ID=4 SEQ=1
2.6 match by source port
Because it is matched by port, it can only be the protocol of OSI transport layer, such as TCP and UDP
-p|--protocol [TCP|UDP] --sport [portNo]
# Access log from port 80 of TCP protocol
#(since port 80 is open on node2 machine, rules are added to the OUTPUT chain)
root@node2:~# iptables -A OUTPUT -p TCP --sport 80 -j LOG
root@node2:~# iptables -nvL OUTPUT
Chain OUTPUT (policy ACCEPT 42 packets, 5475 bytes)
pkts bytes target prot opt in out source destination
0 1075 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 LOG flags 0 level 4
[root@centos ~]# curl 192.168.0.203
# You can see 4 records.
root@node2:~# journalctl -f
Feb 02 11:28:06 node2 kernel: IN= OUT=ens33 SRC=192.168.0.203 DST=192.168.0.211 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=60720 WINDOW=65160 RES=0x00 ACK SYN URGP=0
Feb 02 11:28:06 node2 kernel: IN= OUT=ens33 SRC=192.168.0.203 DST=192.168.0.211 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=25659 DF PROTO=TCP SPT=80 DPT=60720 WINDOW=509 RES=0x00 ACK URGP=0
Feb 02 11:28:06 node2 kernel: IN= OUT=ens33 SRC=192.168.0.203 DST=192.168.0.211 LEN=911 TOS=0x00 PREC=0x00 TTL=64 ID=25660 DF PROTO=TCP SPT=80 DPT=60720 WINDOW=509 RES=0x00 ACK PSH URGP=0
Feb 02 11:28:06 node2 kernel: IN= OUT=ens33 SRC=192.168.0.203 DST=192.168.0.211 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=25661 DF PROTO=TCP SPT=80 DPT=60720 WINDOW=509 RES=0x00 ACK FIN URGP=0 2.7 match by target port
-p|--protocol [TCP|UDP] --dport [portNo]
# TCP protocol, the target port is 80 for logging
root@node2:~# iptables -A INPUT -p TCP --dport 80 -j LOG
root@node2:~# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 34 packets, 8905 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 LOG flags 0 level 4
[root@centos ~]# curl 192.168.0.203
root@node2:~# journalctl -f
-- Logs begin at Wed 2021-12-08 09:47:03 UTC. --
Feb 02 11:40:25 node2 kernel: IN=ens33 OUT= MAC=00:0c:29:42:c3:52:00:0c:29:07:cf:68:08:00 SRC=192.168.0.211 DST=192.168.0.203 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48899 DF PROTO=TCP SPT=60722 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0
Feb 02 11:40:25 node2 kernel: IN=ens33 OUT= MAC=00:0c:29:42:c3:52:00:0c:29:07:cf:68:08:00 SRC=192.168.0.211 DST=192.168.0.203 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=48900 DF PROTO=TCP SPT=60722 DPT=80 WINDOW=229 RES=0x00 ACK URGP=0
Feb 02 11:40:25 node2 kernel: IN=ens33 OUT= MAC=00:0c:29:42:c3:52:00:0c:29:07:cf:68:08:00 SRC=192.168.0.211 DST=192.168.0.203 LEN=129 TOS=0x00 PREC=0x00 TTL=64 ID=48901 DF PROTO=TCP SPT=60722 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0
Feb 02 11:40:25 node2 kernel: IN=ens33 OUT= MAC=00:0c:29:42:c3:52:00:0c:29:07:cf:68:08:00 SRC=192.168.0.211 DST=192.168.0.203 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=48902 DF PROTO=TCP SPT=60722 DPT=80 WINDOW=242 RES=0x00 ACK URGP=0
Feb 02 11:40:25 node2 kernel: IN=ens33 OUT= MAC=00:0c:29:42:c3:52:00:0c:29:07:cf:68:08:00 SRC=192.168.0.211 DST=192.168.0.203 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=48903 DF PROTO=TCP SPT=60722 DPT=80 WINDOW=242 RES=0x00 ACK FIN URGP=0
Feb 02 11:40:25 node2 kernel: IN=ens33 OUT= MAC=00:0c:29:42:c3:52:00:0c:29:07:cf:68:08:00 SRC=192.168.0.211 DST=192.168.0.203 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=48904 DF PROTO=TCP SPT=60722 DPT=80 WINDOW=242 RES=0x00 ACK URGP=0 2.8 other matches
There are many other matching methods that you can refer to match
3 action jump (target)
target is the action after rule matching.
3.1 LOG
The above matching methods use LOG, which will not be repeated here.
3.2 ACCEPT
After matching the criteria, if the target is ACCEPT, it means to ACCEPT the rules. Then the rules behind the current chain and the rules of other chains in the table where the current chain is located will be ignored.
The text expression is a little unclear. See the following example
# Rule 1 is acceptance and rule 2 is logging (access from 192.168.0.211) root@node2:~# iptables -nvL INPUT --line-numbers Chain INPUT (policy ACCEPT 57 packets, 4586 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT all -- * * 192.168.0.211 0.0.0.0/0 2 0 0 LOG all -- * * 192.168.0.211 0.0.0.0/0 LOG flags 0 level 4 [root@centos ~]# ping 192.168.0.203 -c 1 PING 192.168.0.203 (192.168.0.203) 56(84) bytes of data. 64 bytes from 192.168.0.203: icmp_seq=1 ttl=64 time=1.28 ms # Check the LOG record. You can't see the access LOG root@node2:~# journalctl -f # It may be a little unclear. Here, rule 2 is changed to DROP root@node2:~# iptables -nvL INPUT --line-numbers Chain INPUT (policy ACCEPT 16 packets, 968 bytes) num pkts bytes target prot opt in out source destination 1 7 481 ACCEPT all -- * * 192.168.0.211 0.0.0.0/0 2 0 0 DROP all -- * * 192.168.0.211 0.0.0.0/0 # Discovery is still accessible [root@centos ~]# ping 192.168.0.203 -c 1 PING 192.168.0.203 (192.168.0.203) 56(84) bytes of data. 64 bytes from 192.168.0.203: icmp_seq=1 ttl=64 time=0.769 ms
3.3 DROP
After matching the conditions, if the action is DROP, the packet will be discarded without any processing. (because no information will be returned, the sender is always in a waiting state. It is better not to use it. You can use the following REJECT)
# All accesses from 192.168.0.211 are discarded (rejected). root@node2:~# iptables -nvL INPUT --line-numbers Chain INPUT (policy ACCEPT 6 packets, 364 bytes) num pkts bytes target prot opt in out source destination 1 0 0 DROP all -- * * 192.168.0.211 0.0.0.0/0 # You can see that the prompt is timeout. If the timeout time is set for a long time, a dead socket will be generated and the port will be occupied # Therefore, DROP is not recommended and REJECT is recommended [root@centos ~]# nc -v -w 2 192.168.0.203 -z 80 nc: connect to 192.168.0.203 port 80 (tcp) failed: Connection timed out
3.4 REJECT
REJECT is roughly the same as DROP. Access is denied after matching the rules, but an error message will be returned to the accessing machine.
REJECT targets are only valid in INPUT, FORWARD, and OUTPUT chains or their child chains.
root@node2:~# iptables -nvL INPUT --line-numbers Chain INPUT (policy ACCEPT 8 packets, 1710 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 192.168.0.211 0.0.0.0/0 reject-with icmp-port-unreachable # You can see that the rejected error message is returned immediately [root@centos ~]# nc -v -w 2 192.168.0.203 -z 80 nc: connect to 192.168.0.203 port 80 (tcp) failed: Connection refused
In fact, we are familiar with the functions of ordinary firewall above. You can refuse access to a certain IP or only accept access to a certain IP. You can use various combinations of protocol + IP + port to design rules.
3.5 REDIRECT
After matching the conditions, if the action is REDIRECT, the packet will be forwarded according to the redirection rules.
Valid only in the preouting and OUTPUT chains of the nat table.
Port number
-j REDIRECT --to-ports 8080
Port number range
-j REDIRECT --to-ports 8080-8090
In fact, this target is used to set the agent locally.
root@node2:~# iptables -t nat -A PREROUTING -p tcp --dport 8090 -j REDIRECT --to-ports 80
root@node2:~# iptables -t nat -nvL PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT 1 packets, 1314 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8090 redir ports 80
# You can see that port 8090 is not enabled
root@node2:~# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::1]:6010 [::]:*
LISTEN 0 511 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
# Can still access success
[root@centos ~]# curl 192.168.0.203:8090
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@centos ~]#
# Use the command of link tracking to see the process of port forwarding
root@node2:~# conntrack -E
[NEW] tcp 6 120 SYN_SENT src=192.168.0.211 dst=192.168.0.203 sport=34372 dport=8090 [UNREPLIED] src=192.168.0.203 dst=192.168.0.211 sport=80 dport=34372
[UPDATE] tcp 6 60 SYN_RECV src=192.168.0.211 dst=192.168.0.203 sport=34372 dport=8090 src=192.168.0.203 dst=192.168.0.211 sport=80 dport=34372
[UPDATE] tcp 6 432000 ESTABLISHED src=192.168.0.211 dst=192.168.0.203 sport=34372 dport=8090 src=192.168.0.203 dst=192.168.0.211 sport=80 dport=34372 [ASSURED]
[UPDATE] tcp 6 120 FIN_WAIT src=192.168.0.211 dst=192.168.0.203 sport=34372 dport=8090 src=192.168.0.203 dst=192.168.0.211 sport=80 dport=34372 [ASSURED]
[UPDATE] tcp 6 30 LAST_ACK src=192.168.0.211 dst=192.168.0.203 sport=34372 dport=8090 src=192.168.0.203 dst=192.168.0.211 sport=80 dport=34372 [ASSURED]
[UPDATE] tcp 6 120 TIME_WAIT src=192.168.0.211 dst=192.168.0.203 sport=34372 dport=8090 src=192.168.0.203 dst=192.168.0.211 sport=80 dport=34372 [ASSURED]
3.6 DNAT
The target network address translation is only valid in the preouting and OUTPUT chains in the nat table.
-j DNAT --to-destination 192.168.0.202[:port]
This is actually something commonly used in Docker k8s.
3.6.1 accessing the server from the local computer
To do network address translation from the local machine, you only need to do address translation in the OUTPUT chain
iptables -t nat -A OUTPUT \
-p tcp -d $WAN_IP --dport $PORT -j DNAT --to-destination $SV_IP# The data accessing the local port 8090 from the local machine will be forwarded to the port 80 of 192.168.0.202
root@node2:~# iptables -t nat -A OUTPUT-p tcp --dport 8090 -j DNAT --to-destination 192.168.0.202:80
root@node2:~# iptables -t nat -nvL OUTPUT
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8090 to:192.168.0.202:80
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
# In fact, port 8090 is not open
root@node2:~# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:*
LISTEN 0 128 127.0.0.1:6011 0.0.0.0:*
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::1]:6010 [::]:*
LISTEN 0 128 [::1]:6011 [::]:*
LISTEN 0 511 [::]:80 [::]:*
LISTEN 0 128 [::]:22 [::]:*
root@node2:~# curl 192.168.0.203:8090
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
The following is the process of address translation
root@node2:~# conntrack -E
[NEW] tcp 6 120 SYN_SENT src=192.168.0.203 dst=192.168.0.203 sport=48776 dport=8090 [UNREPLIED] src=192.168.0.202 dst=192.168.0.203 sport=80 dport=48776
[UPDATE] tcp 6 60 SYN_RECV src=192.168.0.203 dst=192.168.0.203 sport=48776 dport=8090 src=192.168.0.202 dst=192.168.0.203 sport=80 dport=48776
[UPDATE] tcp 6 432000 ESTABLISHED src=192.168.0.203 dst=192.168.0.203 sport=48776 dport=8090 src=192.168.0.202 dst=192.168.0.203 sport=80 dport=48776 [ASSURED]
[UPDATE] tcp 6 120 FIN_WAIT src=192.168.0.203 dst=192.168.0.203 sport=48776 dport=8090 src=192.168.0.202 dst=192.168.0.203 sport=80 dport=48776 [ASSURED]
[UPDATE] tcp 6 30 LAST_ACK src=192.168.0.203 dst=192.168.0.203 sport=48776 dport=8090 src=192.168.0.202 dst=192.168.0.203 sport=80 dport=48776 [ASSURED]
[UPDATE] tcp 6 120 TIME_WAIT src=192.168.0.203 dst=192.168.0.203 sport=48776 dport=8090 src=192.168.0.202 dst=192.168.0.203 sport=80 dport=48776 [ASSURED]
3.6.2} take the current machine as the route to forward the network address
- environment
192.168.0.0/24 Access machine( Centos) ------- iptables Set up the machine( node2) ------- Server( node1) 192.168.0.211 192.168.0.203 192.168.0.202
- Experimental content
Access port 8091 of 192.168.0.203 on machine 192.168.0.211, and then forward to port 80 of 192.168.0.202.
In this case, not only DNAT but also SNAT are required. The data packets returned from port 80 of 192.168.0.202 need to be subject to source address conversion.
- Preconditions
# Modify the configuration so that the current machine can make makeup and hair root@node2:~# echo 1 > /proc/sys/net/ipv4/ip_forward # Confirm modification root@node2:~# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
- Chain rule append
# Target address translation 192.168.0.203:8091 - > 192.168.0.202:80
root@node2:~# iptables -t nat -A PREROUTING -p tcp -d 192.168.0.203 --dport 8091 -j DNAT --to-destination 192.168.0.202:80
# Source target conversion 192.168.0.202:80 - > 192.168.0.203:8091
root@node2:~# iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.202 --dport 80 -j SNAT --to-source 192.168.0.203:8091
# Confirmation rules
root@node2:~# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 5 packets, 1145 bytes)
pkts bytes target prot opt in out source destination
4 240 DNAT tcp -- * * 0.0.0.0/0 192.168.0.203 tcp dpt:8091 to:192.168.0.202:80
Chain INPUT (policy ACCEPT 5 packets, 1145 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 120 SNAT tcp -- * * 0.0.0.0/0 192.168.0.202 tcp dpt:80 to:192.168.0.203:8091
- Visit 192.168.0.203:8091 on centos
# Discovery access succeeded [root@centos ~]# curl 192.168.0.203:8091 this is node1(192.168.0.202)
Because the experimental environment is static IP, if it is dynamic IP, SNAT can not be used for source address conversion, and MASQUERADE can be used for source address conversion like Docker. It is more convenient to use.
3.7 other target s
iptables also has many target s, such as RETURN, which are often used, and many less commonly used ones can be referenced target
4 other usage
iptables can also be used limit match To do rate limit, you can experiment by yourself if you are interested.
There are many uses that are not commonly used. Have the opportunity to continue to share.