iptables中的PREROUTING和POSTROUTING-服务器评测

工作中用到iptables，PREROUTING和POSTROUTING，写个简单例子，为以后作参考

[root@ www.linuxidc.com ~]# cat /tmp/ipt_tmp.sh
# Generated by iptables-save v1.3.5 on Mon Jul 9 08:17:39 2012
*filter
:INPUT ACCEPT [39519334:1858761689]
:FORWARD ACCEPT [63755316:66709123839]
:OUTPUT ACCEPT [62427552:90909713429]
-A INPUT -s 192.168.0.11 -p tcp -m state –state NEW -m tcp –dport 80 -j DROP
-A INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j DROP
COMMIT
# Completed on Mon Jul 9 08:17:39 2012
# Generated by iptables-save v1.3.5 on Mon Jul 9 08:17:39 2012
*nat
:PREROUTING ACCEPT [2748118:215319370]
:POSTROUTING ACCEPT [28696:3128078]
:OUTPUT ACCEPT [28696:3128078]
-A PREROUTING -s 192.168.8.0/255.255.255.0 -d 192.168.0.1 -i eth0 -j DNAT –to-destination 192.168.50.81
-A POSTROUTING -s 192.168.50.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 9 08:17:39 2012
[root@ www.linuxidc.com ~]# iptables -nvL
Chain INPUT (policy ACCEPT 78 packets, 5512 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp — *      *       192.168.0.11         0.0.0.0/0           state NEW tcp dpt:80
    0     0 DROP       tcp — *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 53 packets, 5992 bytes)
pkts bytes target     prot opt in     out     source               destination
[root@ www.linuxidc.com ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       all — eth0   *       192.168.8.0/24       192.168.0.1         to:192.168.50.81

Chain POSTROUTING (policy ACCEPT 4 packets, 312 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all — * eth0 192.168.50.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 4 packets, 312 bytes)
pkts bytes target     prot opt in     out     source               destination
[root@ www.linuxidc.com ~]# iptables -R INPUT -s 192.168.0.11 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
iptables v1.4.7: -R requires a rule number
Try `iptables -h’ or ‘iptables –help’ for more information.
[root@ www.linuxidc.com ~]# iptables -nvL –line-number
Chain INPUT (policy ACCEPT 219 packets, 15871 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     tcp — *      *       192.168.0.11         0.0.0.0/0           state NEW tcp dpt:80
2        0     0 DROP       tcp — *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 196 packets, 16152 bytes)
num   pkts bytes target     prot opt in     out     source               destination
[root@ www.linuxidc.com ~]# iptables -R INPUT 1 -s 192.168.0.11 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
[root@ www.linuxidc.com ~]# iptables -nvL
Chain INPUT (policy ACCEPT 10 packets, 660 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp — *      *       192.168.0.11         0.0.0.0/0           state NEW tcp dpt:80
    0     0 DROP       tcp — *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 6 packets, 1080 bytes)
pkts bytes target     prot opt in     out     source               destination
[root@ www.linuxidc.com ~]# iptables -t nat-R INPUT 1 -s 192.168.255.11/32 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
Bad argument `INPUT’
Try `iptables -h’ or ‘iptables –help’ for more information.
[root@ www.linuxidc.com ~]# iptables -t nat -R PREROUTING 1 -s 192.168.255.11/32 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
[root@ www.linuxidc.com ~]# iptables -t nat
iptables v1.4.7: no command specified
Try `iptables -h’ or ‘iptables –help’ for more information.
[root@ www.linuxidc.com ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp — *      *       192.168.255.11       0.0.0.0/0           state NEW tcp dpt:80

Chain POSTROUTING (policy ACCEPT 3 packets, 180 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all — * eth0 192.168.50.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3 packets, 180 bytes)
pkts bytes target prot opt in out source destination
[root@ www.linuxidc.com ~]# iptables-save > /tmp/ipt_tmp.sh
[root@ www.linuxidc.com ~]# cat /tmp/ipt_tmp.sh
# Generated by iptables-save v1.4.7 on Mon Jul 9 08:58:33 2012
*nat
:PREROUTING ACCEPT [1:242]
:POSTROUTING ACCEPT [34:2352]
:OUTPUT ACCEPT [34:2352]
-A PREROUTING -s 192.168.255.11/32 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
-A POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jul 9 08:58:33 2012
# Generated by iptables-save v1.4.7 on Mon Jul 9 08:58:33 2012
*filter
:INPUT ACCEPT [796:59726]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [717:61256]
-A INPUT -s 192.168.0.11/32 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j DROP
COMMIT
# Completed on Mon Jul 9 08:58:33 2012

iptables中的PREROUTING和POSTROUTING

相关推荐

分类

听说打赏我的人，都进福布斯排行榜啦！

支付宝扫一扫打赏

微信扫一扫打赏

QQ咨询

回顶部