Linux iptables
开通ip转发设置
vi/etc/sysctl.conf
将net.ipv4.ip_forward=0更改为net.ipv4.ip_forward=1
或
#echo1>/proc/sys/net/ipv4/ip_forward
手动设置转发命令
iptables-tnat-APREROUTING-d192.168.116.128-ptcp-mtcp--dport80-jDNAT--to-destination192.168.116.130:80
#将访问本机(116.128)的80端口映射至116.130的80端口上
#如果端口是在本转之间转发,以下的命令可以忽略
iptables-tnat-APOSTROUTING-oeth0-jSNAT--to-source192.168.116.128
iptables-AFORWARD-s192.168.116.130/255.255.255.0-jACCEPT
常用iptables命令
查看
iptables-L--line-number
iptables-tnat-L--line-number
删除
iptables-DINPUT${line-number}(如不写linenumber,则会默认为1)
iptables-tnat-DPREROUTING${line-number}(如不写linenumber,则会默认为1)
/etc/sysconfig/iptables
#Firewallconfigurationwrittenbysystem-config-firewall
*nat
:PREROUTINGACCEPT[0:0]
:POSTROUTINGACCEPT[0:0]
:OUTPUTACCEPT[0:0]
-APREROUTING-d192.168.116.128/32-ptcp-mtcp--dport80-jDNAT--to-destination192.168.116.130:80#将访问本机(116.128)的80端口映射至116.130的80端口上
-APOSTROUTING-oeth0-jSNAT--to-source192.168.116.128#与上面配使用,此为回路配置
COMMIT
#CompletedonThuAug1105:48:112016
#Generatedbyiptables-savev1.4.7onThuAug1105:48:112016
*filter
:INPUTACCEPT[0:0]
:FORWARDACCEPT[0:0]
:OUTPUTACCEPT[0:0]
#只允许38.100进行ping
-AINPUT-s192.168.38.100-picmp-micmp--icmp-type0-jACCEPT
-AINPUT-s192.168.38.100-picmp-micmp--icmp-type8-jACCEPT
#禁ping
-AINPUT-picmp-micmp--icmp-type8-jDROP
-AINPUT-picmp-micmp--icmp-type0-jDROP
-AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT
-AINPUT-picmp-jACCEPT
-AINPUT-ilo-jACCEPT
#允许22端口
-AINPUT-mstate--stateNEW-mtcp-ptcp--dport22-jACCEPT
#允许80端口
-AINPUT-mstate--stateNEW-mtcp-ptcp--dport80-jACCEPT
#只允许211.123.16.0/24网段访问99端口
-AINPUT-s211.123.16.0/24-ptcp-mtcp--dport99-jACCEPT
-AINPUT-jREJECT--reject-withicmp-host-prohibited
-AFORWARD-s192.168.116.130/255.255.255.0-jACCEPT#与上面的端口映身配合使用如果你有下面一行代码的话,如没有可去除本行代码.
-AFORWARD-jREJECT--reject-withicmp-host-prohibited
COMMIT