配置 Linux 内核,并利用 iptables 作端口映射

  • 主机 IP:192.168.1.100
  • 目标机 IP:192.168.2.101

要求将到主机 192.168.1.100:11101 的请求映射到内部网目标机的 sshd 服务端口上,即:192.168.2.101:22。

配置内核(以 2.6.18 为例)

如果执行 iptable -L 出现以下信息,那么就需要重新配置和编译内核:

iptables v1.4.2: can’t initialize iptables table `filter’: Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

配置选项:

Networking —->

  Networking options —->

  [*] Network packet filtering (replaces ipchains)  —>

    Core Netfilter Configuration  —>

      <*> Netfilter Xtables support (required for ip_tables)

    IP: Netfilter Configuration —>

      <*> Connection tracking (required for masq/NAT)

      <*> IP tables support (required for filtering/masq/NAT)

      <*>   IP range match support

      <*>   Packet filtering

      <*>     REJECT target support

      <*>   Full NAT

以上配置只为端口映射准备,如果需要其它功能,请根据需要增加相关的配置。

编译安装内核步骤略过。

iptabes

iptables 规则如下:

iptables -t nat -A PREROUTING -p tcp –dport 11101 -d 192.168.1.100 -j DNAT –to-destination 192.168.2.101:22

查看 iptables 规则定义:

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
DNAT       tcp  –  anywhere             192.168.1.100       tcp dpt:11101 to:192.168.2.101:22

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

ip_forward

除此之外,需要在主机上打开 ip 转发以保持连接通道。

查看是否已打开 ip 转发(1 表示打开):

cat /proc/sys/net/ipv4/ip_forward

如果未打开,则用以下命令打开:

echo 1 > /proc/sys/net/ipv4/ip_forward

保存设置

以上 iptables 设置和 ip 转发设置在重启系统之后就会消失,因此如果有需要,请将设置保存。

保存 iptables 设置:

/etc/init.d/iptables save

设置系统启动时自动加载 iptables 设置(以 gentoo 为例):

rc-update add iptables default

保存 ip_forward 设置(在 /etc/sysctl.conf 中设置):

net.ipv4.ip_forward = 1

安全隐患

在打开了 ip_forward 后,一般要同时打开 rp_filter (Reverse Path filter),对数据包的源地址进行检查。

如果在没有打开这个设置,就很容易受到来自内部网的 IP 欺骗。

打开 rp_filter:

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

保存设置(在 /etc/sysctl.conf 中设置):

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.rp_filter = 1

测试

ssh root@192.168.1.100 -p 11101

看看是不是能够连接到 192.168.2.101 主机上了?

— EOF —

《配置 Linux 内核,并利用 iptables 作端口映射》有14个想法

  1. An impressive share moidisys, I simply given this onto a colleague who was doing slightly evaluation on this. And he in actual fact purchased me breakfast as a result of I discovered it for him.. smile. So let me reword that: Thnx for the treat! But yeah Thnkx for spending the time to debate this, I feel strongly about it and love studying extra on this topic. If doable, as you develop into expertise, would you mind updating your blog with extra particulars? It’s extremely helpful for me. Big thumb up for this blog submit!

  2. Nice blog here gipelris! Additionally your web site a lot up fast! What host are you using? Can I get your affiliate link to your host? I want my website loaded up as quickly as yours lol

  3. Thank you for any other informative site. The place else may I am getting that type of information written in such an ideal manner? I’ve a mission that I am just now operating on, and I have been on the look out for such information.

发表评论

电子邮件地址不会被公开。 必填项已用*标注