发表新帖
发表新帖

iptables FORWARD and INPUT

前端 未结
关注
2 1822
轻奢々
轻奢々 2021-01-30 00:06

I have a home network with Linux pc\'s, which all had iptables running. I think it is easier to put my LAN behind a Linux gateway/firewall, so I\'ve put a pc (with fedora,no gui

相关标签:
2条回答
  • 逝去的感伤
    2021-01-30 00:47

    INPUT, FORWARD, and OUTPUT are separate. A packet will only hit one of the three chains.

    If the destination is to this server, it hits the INPUT chain. If its source is from this server, it hits OUTPUT. If its source and destination are both other machines—it's being routed through the server—then it hits the FORWARD chain.

    0 讨论(0)
  • 谎友^
    2021-01-30 00:53

    RedHat has a great doc about iptables (a little bit long), but the subject to cover is complex and there are so many different use cases that I don't see how to avoid it.

    iptables kernel routing

    Here is the chapter about FORWARD and NAT Rules. As it states:

    For example, if you want to forward incoming HTTP requests to your dedicated Apache HTTP Server at 172.31.0.23, use the following command as the root user:

    ~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80

    Here is what happens:

    • your linux gateway receives a packet from your router. The packet header has:
      • source: x.x.x.x:y (sender IP from the internet & source port used for packet transmission)
      • destination: 192.168.1.1:80 (assuming your linux gateway IP on external NIC, ie p1p1)
    • your linux gateway applies the PREROUTING chain to find a match. Assuming that you have typed what's above, the packet matches the rule and then calls (jumps -j) to the DNAT function (Destination Network Address Translation) which changes the destination of the packet header from the initial 192.168.1.1:80 to 172.31.0.23:80.
    • then, the packet arrives to the Routing Decision. The packet destination is now 172.31.0.23:80.
      • Your linux gateway asks itself: Is it for me (192.168.1.1:80) ? No, so I won't send it to the INPUT chain.
      • => I'll send it to the FORWARD chain.
    • since you have set the rules to FORWARD all on your local network (table filter chain FORWARD), the packet should be forwarded correctly to your local Apache HTTP Server (for example).

    Hope it'll help to understand a little bit more how internal routing works with iptables.

    0 讨论(0)
 看不清?
提交回复
热议问题