百利工頭 » Linux 指令及更新 » iptables NAT configure

查看完整版本: iptables NAT configure

chun 2008-6-17 15:35

iptables NAT configure

Ok, so I would probably just create a bunch of aliases (virtual
interfaces) for each of the public IPs so that you have general
connectivity (though not necessary), then just write a DNAT rule for
each mapping and forward the required ports to the <a id="KonaLink9" target="_top" class="kLink" style="text-decoration: underline ! important; position: static;" href="http://www.linuxquestions.org/questions/#">LAN server</a>.
Just remember that iptables will treat each of the virtual interfaces
as one interface, so eth0:1, eth0:2, and eth0:3 would all be just eth0
in your iptables rules (using aliases in the rules will cause an
error). So your DNAT rules will look like: 
 
iptables -t nat -A PREROUTING -i eth0 -d 65.66.67.150 -j DNAT --to-destination 192.168.1.2 
iptables -t nat -A PREROUTING -i eth0 -d 65.66.67.151 -j DNAT --to-destination 192.168.1.3 
 
If you want to forward each of those ports to all of the internal servers, then your forwarding rules will be: 
iptables -A FORWARD -p tcp -m multiport --dports 21,23,25,53,80,110,443,3389,5561,5562 - j ACCEPT 
 
If you only want to forward certain ports to certain LAN servers, then
just specify which ports and which internal IPs. For example say you
only want port 80 and 443 going to 192.168.1.2 and ftp going to
192.168.1.3. Then your rules would be: 
iptables -A FORWARD -p tcp -m multiport --dports 80,443 -d 192.168.1.2 -j ACCEPT 
iptables -A FORWARD -m tcp --dport 21 -d 192.168.1.3 -j ACCEPT 
 
Finally you'll need a rule to allow packets back out: 
iptables -A FORWARD -i eth1 -j ACCEPT 
(you can lock this down further depending on your needs) 
 
Also make sure that you've turned on packet forwarding in the kernel: 
echo 1 > /proc/sys/net/ipv4/ip_forward

頁: [1]

查看完整版本: iptables NAT configure