Iptables -t nat -A PREROUTING -p tcp -m tcp -dport 8080 -j DNAT -to-destination 192.168.1.2:80 Instead, the IP address of the output interface (here, eth0) will be used automatically. In this case, we could use the MASQUERADE target, which is similar to SNAT except that we do not need to specify -to-source address. However, our router may be allocated a dynamic address by DHCP instead of being configured a static one. But sometimes we do not match against output interfaces, and it’s still a requirement that SNAT can only be in the POSTROUTING chain. For example, in our case, the matching condition includes the output interface ( eth0), so it can only be used when the routing decision has been made. Sometimes this requirement is reasonable. Note that SNAT rules have to be configured in the POSTROUTING chain. The network address translation process works like the diagram below. For any response packets, the reverse operation that sets the destination address to the private address of the connecting device (e.g., 192.168.1.2) is automatically applied, so we do not need to worry about configuring it. This rule will replace the source address of any IP packets going to the Internet through interface eth0 whose source address is in our local subnet with 50.60.70.80, the public IP address of the router. Here -t stands for table, -A stands for append, -s stands for source, -o stands for output interface and -j stands for jump. To access the Internet from the two computers in the local network, the following SNAT (S stands for source) rule has to be added to the router: Don’t worry, in the article Network Namespaces and Docker, you will learn how to simulate this setup on your Linux machine. You need more advanced router firmware to use iptables, like OpenWrt or ASUS-Merlin. You might find it’s hard to experiment with what I described in this article since your router might not have iptables. In this article, we will continue to use the home network setup below. The packet then goes to POSTROUTING and then goes to an output interface. The reroute check step is a little bit complicated, so we will explain it afterwards. If it’s destined for another machine (so this machine serves as a router), the kernel will put it through the POSTROUTING chain and then send it to an output interface.Ī packet generated from a local process will be routed and then put into the OUTPUT chain. If the packet is destined for the machine itself, it’s put into a local process listening on the machine. ![]() An incoming packet goes through the PREROUTING chain, and then the kernel makes the routing decision based on the routing table. The nat tables are used for network address translation, and it’s available in PREROUTING, POSTROUTING, and OUTPUT chains.īelow is the general diagram of the nat table in iptables. The filter table is also essential, but it’s mainly used for firewalls, so we do not discuss it here. Tables are organized as chains, and there are five predefined chains, PREROUTING, POSTROUTING, INPUT, FORWARD, and OUTPUT. Iptables provide five tables (filter, nat, mangle, security, raw), but the most commonly used are the filter table and the nat table.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |