iptables中的PREROUTING和POSTROUTING

工作中用到iptables，PREROUTING和POSTROUTING，写个简单例子，，为以后作参考

[root@ ~]# cat /tmp/ipt_tmp.sh # Generated by iptables-save v1.3.5 on Mon Jul 9 08:17:39 2012*filter:INPUT ACCEPT [39519334:1858761689]:FORWARD ACCEPT [63755316:66709123839]:OUTPUT ACCEPT [62427552:90909713429]-A INPUT -s 192.168.0.11 -p tcp -m state –state NEW -m tcp –dport 80 -j DROP -A INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j DROP COMMIT# Completed on Mon Jul 9 08:17:39 2012# Generated by iptables-save v1.3.5 on Mon Jul 9 08:17:39 2012*nat:PREROUTING ACCEPT [2748118:215319370]:POSTROUTING ACCEPT [28696:3128078]:OUTPUT ACCEPT [28696:3128078]-A PREROUTING -s 192.168.8.0/255.255.255.0 -d 192.168.0.1 -i eth0 -j DNAT –to-destination 192.168.50.81 -A POSTROUTING -s 192.168.50.0/255.255.255.0 -o eth0 -j MASQUERADE COMMIT# Completed on Mon Jul 9 08:17:39 2012[root@ ~]# iptables -nvLChain INPUT (policy ACCEPT 78 packets, 5512 bytes)pkts bytes target prot opt in out source destination 0 0 DROP tcp — * * 192.168.0.11 0.0.0.0/0 state NEW tcp dpt:80 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 53 packets, 5992 bytes)pkts bytes target prot opt in out source destination [root@ ~]# iptables -t nat -nvLChain PREROUTING (policy ACCEPT 1 packets, 76 bytes)pkts bytes target prot opt in out source destination 0 0 DNAT all — eth0 * 192.168.8.0/24 192.168.0.1 to:192.168.50.81

Chain POSTROUTING (policy ACCEPT 4 packets, 312 bytes)pkts bytes target prot opt in out source destination 0 0 MASQUERADE all — * eth0 192.168.50.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 4 packets, 312 bytes)pkts bytes target prot opt in out source destination [root@ ~]# iptables -R INPUT -s 192.168.0.11 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPTiptables v1.4.7: -R requires a rule numberTry `iptables -h’ or ‘iptables –help’ for more information.[root@ ~]# iptables -nvL –line-numberChain INPUT (policy ACCEPT 219 packets, 15871 bytes)num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp — * * 192.168.0.11 0.0.0.0/0 state NEW tcp dpt:80 2 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 196 packets, 16152 bytes)num pkts bytes target prot opt in out source destination [root@ ~]# iptables -R INPUT 1 -s 192.168.0.11 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT[root@ ~]# iptables -nvLChain INPUT (policy ACCEPT 10 packets, 660 bytes)pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp — * * 192.168.0.11 0.0.0.0/0 state NEW tcp dpt:80 0 0 DROP tcp — * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 6 packets, 1080 bytes)pkts bytes target prot opt in out source destination [root@ ~]# iptables -t nat-R INPUT 1 -s 192.168.255.11/32 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT Bad argument `INPUT’Try `iptables -h’ or ‘iptables –help’ for more information.[root@ ~]# iptables -t nat -R PREROUTING 1 -s 192.168.255.11/32 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT [root@ ~]# iptables -t natiptables v1.4.7: no command specifiedTry `iptables -h’ or ‘iptables –help’ for more information.[root@ ~]# iptables -t nat -nvLChain PREROUTING (policy ACCEPT 0 packets, 0 bytes)pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp — * * 192.168.255.11 0.0.0.0/0 state NEW tcp dpt:80

Chain POSTROUTING (policy ACCEPT 3 packets, 180 bytes)pkts bytes target prot opt in out source destination 0 0 MASQUERADE all — * eth0 192.168.50.0/24 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 3 packets, 180 bytes)pkts bytes target prot opt in out source destination [root@ ~]# iptables-save > /tmp/ipt_tmp.sh [root@ ~]# cat /tmp/ipt_tmp.sh # Generated by iptables-save v1.4.7 on Mon Jul 9 08:58:33 2012*nat:PREROUTING ACCEPT [1:242]:POSTROUTING ACCEPT [34:2352]:OUTPUT ACCEPT [34:2352]-A PREROUTING -s 192.168.255.11/32 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT -A POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE COMMIT# Completed on Mon Jul 9 08:58:33 2012# Generated by iptables-save v1.4.7 on Mon Jul 9 08:58:33 2012*filter:INPUT ACCEPT [796:59726]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [717:61256]-A INPUT -s 192.168.0.11/32 -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT -A INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j DROP COMMIT# Completed on Mon Jul 9 08:58:33 2012

只要笑一笑，没什么事请过不了