iptables FORWARD和INPUT
[英]iptables FORWARD and INPUT
问题描述
I have a home network with Linux pc's, which all had iptables running. 
我有一个带有Linux pc的家庭网络,它们都运行iptables。 I think it is easier to put my LAN behind a Linux gateway/firewall, so I've put a pc (with fedora,no gui) between my router and LAN and configured iptables. 我认为把我的局域网放在Linux网关/防火墙后更容易,所以我在我的路由器和局域网之间安装了一台电脑(带有fedora,没有gui)并配置了iptables。 No problem here, INPUT only allows dns an http (and some local stuff), forwarding works fine: LAN connects to internet. 这里没问题,INPUT只允许dns一个http(和一些本地的东西),转发工作正常:LAN连接到互联网。
But my question is: does FORWARD allows all from the outside, or only the ports I configured with INPUT? 但我的问题是:FORWARD允许来自外部的所有内容,还是只允许我使用INPUT配置的端口? Do FORWARD and INPUT work together or are they separate? FORWARD和INPUT一起工作还是分开?
This is my iptables: 这是我的iptables:
*nat
:PREROUTING ACCEPT [16:1336]
:INPUT ACCEPT [14:840]
:OUTPUT ACCEPT [30:2116]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o p1p1 -j MASQUERADE
COMMIT
# Completed on Tue Oct 16 09:55:31 2012
# Generated by iptables-save v1.4.14 on Tue Oct 16 09:55:31 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [91:9888]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p UDP --dport 53 -j ACCEPT
-A INPUT -p TCP --dport 53 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp -m multiport --dports 20,21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp -m multiport --dports 20,21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp -m tcp --dport 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp -m tcp --dport 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i p1p1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i p1p1 -p tcp -m multiport --dports 20,21,443 -j DROP
-A INPUT -i p1p1 -p tcp --dport 5000:5100 -j DROP
-A INPUT -i p1p1 -p icmp -m icmp --icmp-type 8 -j DROP
-A FORWARD -s 192.168.2.0/24 -j ACCEPT
-A FORWARD -d 192.168.2.0/24 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A OUTPUT -j LOG --log-prefix "denied out: "
COMMIT
p1p1 (.1.x) is my external nic, p3p1 (.2.x) is internal. p1p1(.1.x)是我的外部nic,p3p1(.2.x)是内部的。
2 个解决方案
解决方案1
80 2014-05-02 21:06:14
RedHat has a great doc about iptables (a little bit long), but the subject to cover is complex and there are so many different use cases that I don't see how to avoid it. RedHat有一个很好的关于iptables的文档 (有点长),但要讨论的主题很复杂,有很多不同的用例,我看不出如何避免它。
Here is the chapter about FORWARD and NAT Rules . 这是关于FORWARD和NAT规则的章节。 As it states: 如上所述:
For example, if you want to forward incoming HTTP requests to your dedicated Apache HTTP Server at 172.31.0.23 , use the following command as the root user:
~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80
Here is what happens: 这是发生的事情:
- your linux gateway receives a packet from your router. 您的linux网关从路由器接收数据包。 The packet header has: 包头有:
- source:
xxxx:y(sender IP from the internet & source port used for packet transmission)source: xxxx:y(来自用于数据包传输的Internet和源端口的发送方IP) - destination:
192.168.1.1:80(assuming your linux gateway IP on external NIC, iep1p1)destination: 192.168.1.1:80:p1p1(假设您在外部NIC上使用linux网关IP,即p1p1)
- source:
- your linux gateway applies the PREROUTING chain to find a match. 您的linux网关应用PREROUTING链来查找匹配项。 Assuming that you have typed what's above, the packet matches the rule and then calls (jumps
-j) to the DNAT function ( Destination Network Address Translation ) which changes the destination of the packet header from the initial192.168.1.1:80to172.31.0.23:80.假设您键入了上面的内容, 数据包匹配规则 ,然后调用(jumps -j)到DNAT函数 ( 目标网络地址转换 ),它将数据包标头的目标从最初的192.168.1.1:80更改为172.31.0.23:80。 - then, the packet arrives to the Routing Decision . 然后,数据包到达路由决策 。 The packet destination is now
172.31.0.23:80.数据包目的地现在是172.31.0.23:80。- Your linux gateway asks itself: Is it for me (
192.168.1.1:80) ?你的linux网关问自己:它适合我( 192.168.1.1:80)? No, so I won't send it to the INPUT chain.不,所以我不会把它发送到INPUT链。 - => I'll send it to the FORWARD chain. =>我会将它发送到FORWARD链。
- Your linux gateway asks itself: Is it for me (
- since you have set the rules to FORWARD all on your local network (table
filterchainFORWARD), the packet should be forwarded correctly to your local Apache HTTP Server (for example).由于您已在本地网络 (表filter链FORWARD) 上将规则设置为FORWARD all ,因此应将数据包正确转发到本地Apache HTTP Server(例如)。
Hope it'll help to understand a little bit more how internal routing works with iptables. 希望它能帮助理解内部路由如何与iptables协同工作。
解决方案2
66 2012-10-18 00:02:03
INPUT, FORWARD, and OUTPUT are separate. INPUT,FORWARD和OUTPUT是分开的。 A packet will only hit one of the three chains. 数据包只会命中三个链中的一个。
If the destination is to this server, it hits the INPUT chain. 如果目标是到该服务器,它击中INPUT链。 If its source is from this server, it hits OUTPUT. 如果它的源是来自此服务器,则它会命中OUTPUT。 If its source and destination are both other machines—it's being routed through the server—then it hits the FORWARD chain. 如果它的源和目标都是其他机器 - 它正在通过服务器路由 - 那么它就会击中FORWARD链。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.