Software firewall iptables under linux - setting of nat table rules

In addition to the most commonly used filter table, iptables also occasionally uses the nat table. NAT is Network Address Translation, which is used to modify the source IP address or destination IP address. Now let's look at the table and chain process of a simple data packet passing through iptables to the back-end host.

1. Go through the PREROUTING chain of the NAT table

2. Determine whether the data packet is going to enter the machine through routing. If not, perform the next step

3 .After the FORWARD chain of the Filter

4.After the POSTROUTING chain of the NAT table, it is finally transmitted

The first and last steps related to NAT are the PREROUTING chain and the POSTROUTING chain.

• PREROUTING chain modifies the destination IP, referred to as DNAT

• POSTROUTING chain modifies the source IP, referred to as SNAT

DNAT

So which scenarios require the use of DNAT, and what are the common applications of SNAT? For DNAT, the most common thing is to map the internal network port to the external network so that other users can access it. In this way, the security of the internal network is greatly improved, because the external network cannot directly transmit data to the internal network.

Scenario: There is a host A (192.168.1.111) in the intranet with a website set up on it, and there is also a host B (192.168.1.2) in the intranet with a public IP (39.100.92.12). So what? Let users on the external network access the website above A.

At this time, you need to perform a DNAT operation on host B to change the destination address from the public network ip39.100.92.12 to the internal network address 192.168.1.111. The operation is as follows:

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
> -j DNAT --to-destination 192.168.1.111:80

In addition to modifying the ip, the port can also be modified in the PREROUTING chain. For example, port 80 is mapped to port 8080, but the operation name is no longer DNAT, but REDIRECT.

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
> -j REDIRECT --to-ports 8080

SNAT

For SNAT, our most common application is that intranet machines access the Internet through a proxy server, and intranet hosts do not have a public network IP, then after the internal network host data packet passes through the proxy server, the proxy server needs to modify the source address of the data packet to the public network IP of the proxy server.

Scenario: There is a host A (192.168.1.111) in the intranet, and there is a host B (192.168.1.2) in the intranet with a public IP (39.100.92.12). So how can I operate host A? Connect to the public network.

# iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 \
> -j SNAT --to-source 39.100.92.12

The operations of DNAT and SNAT are not very complicated. The main thing is to understand the application scenarios of DNAT and SNAT. It is easy to get confused when you first learn. I hope everyone can understand their differences.

Related recommendations: "linux video tutorial"

The above is the detailed content of Software firewall iptables under linux - setting of nat table rules. For more information, please follow other related articles on the PHP Chinese website!