命令格式
-A PREROUTING -d 服务器IP -p tcp -m tcp --dport 端口2222 -j DNAT --to-destination 内网IP:22
-A POSTROUTING -s 192.168.10.0/255.255.255.0 -o 网卡eth0 -j SNAT --to-source 服务器IP
直接修改/etc/sysconfig/iptables
-A PREROUTING -d 192.168.68.132 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.10.253:22
-A POSTROUTING -s 192.168.68.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.68.132
或者使用命令
iptables -t nat -A PREROUTING -d 192.168.68.132 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.10.253:22
iptables -t nat -A POSTROUTING -s 192.168.68.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.68.132
注意FORWARD
:FORWARD ACCEPT [0:0]
检查sysctl
/etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -p
重启IPTABLES
/etc/init.d/iptables restart
SHELL脚本
- #!/bin/bash
- modprobe ip_tables
- modprobe iptable_nat
- modprobe ip_nat_ftp
- modprobe ip_conntrack
- modprobe ip_conntrack_ftp
- ipt=/sbin/iptables
- lan=192.168.68.0/24
- lo=127.0.0.1
- $ipt -F
- $ipt -t nat -F
- $ipt -N allow
- $ipt -A allow -j ACCEPT
- ####
- ipt−AINPUT−slo -j allow
- ipt−AINPUT−slan -j allow
- $ipt -A INPUT -p tcp --dport 33308 -j allow
- $ipt -A INPUT -p udp --dport 123 -j allow
- $ipt -A INPUT -p tcp --dport 80 -j allow
- $ipt -A INPUT -p tcp --dport 22 -j allow
- $ipt -A INPUT -p udp --sport 53 -j allow
- ####forward
- echo '1' > /proc/sys/net/ipv4/ip_forward
- $ipt -t nat -A PREROUTING -d 192.168.68.132 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.10.253:22
- $ipt -t nat -A POSTROUTING -s 192.168.68.0/255.255.255.0 -o eth0 -j SNAT --to-source 192.168.68.132
- ####
- $ipt -A INPUT -j DROP
- /sbin/service iptables save
执行脚本后
重启IPTABLES
/etc/init.d/iptables restart
本文转自 ppabc 51CTO博客,原文链接:http://blog.51cto.com/ppabc/796588
