乱爱性全过程免费视频/午夜毛片视频/中文字幕av三区/一级视频网址

當(dāng)前位置: 維易PHP培訓(xùn)學(xué)院 > LINUX入門 > 內(nèi)容正文

LINUX教程:Linux iptables 端口轉(zhuǎn)發(fā)

作者:VEPHP   時間 2017-10-04

《LINUX教程:Linux iptables 端口轉(zhuǎn)發(fā)》要點(diǎn):
本文介紹了LINUX教程:Linux iptables 端口轉(zhuǎn)發(fā),希望對您有用。如果有疑問,可以聯(lián)系我們。

準(zhǔn)備:
1, UDP端口范圍映射
2, tcp 端口范圍映射
3, 本機(jī)端口轉(zhuǎn)發(fā)
4, 單個端口轉(zhuǎn)發(fā)

準(zhǔn)備:
打開轉(zhuǎn)發(fā)
[root@CentOS ~]# cat /etc/sysctl.conf? | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1?
?
清空規(guī)則,修改默認(rèn)策略,重要數(shù)據(jù)請備份
[root@CentOS ~]# iptables -F -t nat
[root@CentOS ~]# iptables -X -t nat
[root@CentOS ~]# iptables -P INPUT DROP
[root@CentOS ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target? ? prot opt source? ? ? ? ? ? ? destination? ? ? ? ?
?
Chain POSTROUTING (policy ACCEPT)
target? ? prot opt source? ? ? ? ? ? ? destination? ? ? ? ?
?
Chain OUTPUT (policy ACCEPT)
target? ? prot opt source? ? ? ? ? ? ? destination? ? ? ? ?
[root@CentOS ~]#?
?
刪除reject
[root@CentOS ~]# vim /etc/sysconfig/iptables
[root@CentOS ~]# service iptables restart

1, UDP端口范圍映射
一一匹配:
[root@CentOS ~]# iptables -t nat -A PREROUTING -p udp --dport 5000:6000 -j DNAT --to 192.168.66.2:5000-6000?
?
【注意】這樣寫,將導(dǎo)致不可預(yù)測的端口轉(zhuǎn)發(fā)匹配:
[root@CentOS ~]# iptables -t nat -A PREROUTING -p udp --dport 5000:5010 -j DNAT --to 192.168.66.2:6000-6010

【nat內(nèi)機(jī)器:192.168.66.2】端口轉(zhuǎn)發(fā)匹配驗(yàn)證,輸出源端口是9999
[root@CentOS ~]# tcpdump -i eth0 -tnn? port 9999
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 172.16.20.245.9999 > 192.168.66.2.5500: UDP, length 1
IP 172.16.20.245.9999 > 192.168.66.2.5500: UDP, length 1
IP 172.16.20.245.9999 > 192.168.66.2.5501: UDP, length 1
IP 172.16.20.245.9999 > 192.168.66.2.5501: UDP, length 1?

【nat外機(jī)器:172.16.20.245】發(fā)送給nat機(jī)器,發(fā)出的數(shù)據(jù)包源端口是9999, 目的端口是5500-5555
sudo nc -v -u -p 9999 172.16.20.183 5500-5555

端口轉(zhuǎn)發(fā)雙向通信驗(yàn)證:
?
nat里面的機(jī)器打開監(jiān)聽:
[root@CentOS ~]# nc -l -u 5555

nat外面的機(jī)器向nat 發(fā)送數(shù)據(jù)
nc -u 172.16.20.183 5555
?
互發(fā)數(shù)據(jù),雙方是可以收到的.
?
可以發(fā)現(xiàn):端口映射完全匹配,雙通互發(fā)數(shù)據(jù)成功!

2, tcp 端口范圍映射
tcp 端口范圍映射:
[root@CentOS ~]# iptables -t nat -A PREROUTING -p tcp --dport 2000:2500 -j DNAT --to 192.168.66.2:2000-2500?
?
驗(yàn)證:
接收端:【nat內(nèi)機(jī)器:192.168.66.2】
[root@CentOS ~]# tcpdump -i eth0 -tnn? portrange 2000-2500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 172.16.20.245.37446 > 192.168.66.2.2000: Flags [S], seq 1083771445, win 29200, options [mss 1460,sackOK,TS val 3864340 ecr 0,nop,wscale 7], length 0
IP 192.168.66.2.2000 > 172.16.20.245.37446: Flags [R.], seq 0, ack 1083771446, win 0, length 0
IP 172.16.20.245.47912 > 192.168.66.2.2001: Flags [S], seq 629593170, win 29200, options [mss 1460,sackOK,TS val 3864344 ecr 0,nop,wscale 7], length 0
IP 192.168.66.2.2001 > 172.16.20.245.47912: Flags [R.], seq 0, ack 629593171, win 0, length 0
IP 172.16.20.245.34816 > 192.168.66.2.2002: Flags [S], seq 680276410, win 29200, options [mss 1460,sackOK,TS val 3864345 ecr 0,nop,wscale 7], length 0
IP 192.168.66.2.2002 > 172.16.20.245.34816: Flags [R.], seq 0, ack 680276411, win 0, length 0
IP 172.16.20.245.37508 > 192.168.66.2.2003: Flags [S], seq 1070666075, win 29200, options [mss 1460,sackOK,TS val 3864345 ecr 0,nop,wscale 7], length 0
IP 192.168.66.2.2003 > 172.16.20.245.37508: Flags [R.], seq 0, ack 1070666076, win 0, length 0
?
?
發(fā)送端:【nat外機(jī)器:172.16.20.245】發(fā)送給nat機(jī)器:
sudo nc -z -w1 -v? 172.16.20.183 2000-2500
nc: connect to 172.16.20.183 port 2000 (tcp) failed: Connection refused
nc: connect to 172.16.20.183 port 2001 (tcp) failed: Connection refused
nc: connect to 172.16.20.183 port 2002 (tcp) failed: Connection refused
nc: connect to 172.16.20.183 port 2003 (tcp) failed: Connection refused
nc: connect to 172.16.20.183 port 2004 (tcp) failed: Connection refused
nc: connect to 172.16.20.183 port 2005 (tcp) failed: Connection refused
nc: connect to 172.16.20.183 port 2006 (tcp) failed: Connection refused
nc: connect to 172.16.20.183 port 2007 (tcp) failed: Connection refused
?
?
可以看見,雖然連接失敗,但是發(fā)送的seq和ack回應(yīng)包都有了,就差握手成功了.

3, 本機(jī)端口轉(zhuǎn)發(fā)
[root@CentOS ~]# iptables -t nat -A PREROUTING -p tcp --dport 1234 -j REDIRECT --to-ports 2345
[root@CentOS ~]# nc -l -k 2345? #開啟監(jiān)聽
?
1,
局域網(wǎng)其他主機(jī)直接來拜訪本機(jī)2345端口:看看tcpdump輸出
linuxidc@Ubuntu~$ nc 172.16.20.183 2345 #遠(yuǎn)程機(jī)拜訪本機(jī)172.16.20.183 2345
?
本機(jī)tcpdump輸出
[root@CentOS ~]# tcpdump -i eth0 host 172.16.20.245 -tnn
IP 172.16.20.245.44706 > 172.16.20.183.2345: Flags [S], seq 33366406, win 29200, options [mss 1460,sackOK,TS val 4001328 ecr 0,nop,wscale 7], length 0
IP 172.16.20.183.2345 > 172.16.20.245.44706: Flags [R.], seq 0, ack 33366407, win 0, length 0?
?
2,局域網(wǎng)其他主機(jī)直接來拜訪本機(jī)1234端口:看看tcpdump輸出
linuxidc@ubuntu~$ nc 172.16.20.183 1234 #遠(yuǎn)程機(jī)拜訪本機(jī)172.16.20.183 1234
?
tcpdump在本機(jī)看一下:
[root@CentOS ~]# tcpdump -i eth0 host 172.16.20.245 -tnn
IP 172.16.20.245.47332 > 172.16.20.183.1234: Flags [S], seq 3622624416, win 29200, options [mss 1460,sackOK,TS val 4047126 ecr 0,nop,wscale 7], length 0
IP 172.16.20.183.1234 > 172.16.20.245.47332: Flags [S.], seq 123535638, ack 3622624417, win 14480, options [mss 1460,sackOK,TS val 12018501 ecr 4047126,nop,wscale 6], length 0
IP 172.16.20.245.47332 > 172.16.20.183.1234: Flags [.], ack 1, win 229, options [nop,nop,TS val 4047126 ecr 12018501], length 0
IP 172.16.20.245.47332 > 172.16.20.183.1234: Flags [P.], seq 1:2, ack 1, win 229, options [nop,nop,TS val 4047282 ecr 12018501], length 1
IP 172.16.20.183.1234 > 172.16.20.245.47332: Flags [.], ack 2, win 227, options [nop,nop,TS val 12019122 ecr 4047282], length 0
IP 172.16.20.245.47332 > 172.16.20.183.1234: Flags [P.], seq 2:3, ack 1, win 229, options [nop,nop,TS val 4047325 ecr 12019122], length 1
IP 172.16.20.183.1234 > 172.16.20.245.47332: Flags [.], ack 3, win 227, options [nop,nop,TS val 12019297 ecr 4047325], length 0
IP 172.16.20.245.47332 > 172.16.20.183.1234: Flags [P.], seq 3:4, ack 1, win 229, options [nop,nop,TS val 4047353 ecr 12019297], length 1
?
可以看到三次握手成功!

4, 單個端口轉(zhuǎn)發(fā)
端口轉(zhuǎn)發(fā) tcp模式:將拜訪本機(jī)1122端口數(shù)據(jù)包轉(zhuǎn)發(fā)給192.168.66.2:5566
iptables -t nat -A PREROUTING -p tcp? --dport 1122 -j DNAT --to-destination 192.168.66.2:5566
?
端口轉(zhuǎn)發(fā) udp模式:將拜訪本機(jī)2233端口數(shù)據(jù)包轉(zhuǎn)發(fā)給192.168.66.2:4455
iptables -t nat -A PREROUTING -p udp? --dport 2233 -j DNAT --to-destination 192.168.66.2:4455

更多LINUX教程,盡在維易PHP學(xué)院專欄。歡迎交流《LINUX教程:Linux iptables 端口轉(zhuǎn)發(fā)》!

轉(zhuǎn)載請注明本頁網(wǎng)址:
http://www.fzlkiss.com/jiaocheng/10539.html


    標(biāo)簽: