In addition to the most commonly used filter table, iptables also occasionally uses the nat table. Nat is network address translation, which is used to modify the source ip address or destination ip address. Now let’s look at the process of a simple data packet passing through iptables to the table and chain of the back-end host.
1. Through the PREROUTING chain of the NAT table
2. After routing to determine whether the data packet is going to enter the machine, if not, perform the next step
p>3. Pass the FORWARD chain of Filter
4. Pass the POSTROUTING chain of the NAT table, and finally send it out
The first step and the last step are related to NAT, that is, PREROUTING chain and POSTROUTING chain.
-
The PREROUTING chain modifies the destination IP, referred to as DNAT
-
POSTROUTING The source IP is modified by the chain, referred to as SNAT
DNAT
So which scenarios need to use DNAT, and what are the common applications of SNAT? For DNAT, the most common is to map the port of the internal network to the external network, so that other users can access it. In this way, the security of the internal network is greatly improved, because the external network cannot directly transmit data with the internal network.
Scenario: There is a host A (192.168.1.111) on the intranet with a website set up, and there is another host B (192.168.1.2) in the intranet with a public network ip (39.100.92.12), then How to allow users from the external network to visit the website above A.
At this time, it is necessary to perform a DNAT operation on host B to change the destination address from the public network ip39.100.92.12 to the intranet address 192.168.1.111. The operation is as follows:
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \ > -j DNAT --to-destination 192.168.1.111:80
In addition to modifying the ip, the port can also be modified in the PREROUTING chain. For example, port 80 is mapped to port 8080, but the operation name is no longer DNAT, but REDIRECT.
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \ > -j REDIRECT --to-ports 8080
SNAT
For SNAT, our most common application is that the intranet machine accesses the Internet through a proxy server, and the host on the intranet does not have a public network IP. Then, after the host data packet of the intranet passes through the proxy server, the proxy server needs to modify the source address of the data packet to The public IP of the proxy server.
Scene: There is a host A (192.168.1.111) in the intranet, and there is a host B (192.168.1.2) in the intranet with a public network ip (39.100.92.12), so how to operate the host A Can connect to the public network.
# iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 \ > -j SNAT --to-source 39.100.92.12
The operation of DNAT and SNAT is not very complicated. The main thing is to understand the application scenarios of DNAT and SNAT. Everyone can see the difference between them.
微信扫一扫打赏
支付宝扫一扫打赏
