Linux iptables FORWARD 和 INPUT
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12945233/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
iptables FORWARD and INPUT
提问by
I have a home network with Linux pc's, which all had iptables running. I think it is easier to put my LAN behind a Linux gateway/firewall, so I've put a pc (with fedora,no gui) between my router and LAN and configured iptables. No problem here, INPUT only allows dns an http (and some local stuff), forwarding works fine: LAN connects to internet.
我有一个带有 Linux pc 的家庭网络,所有这些网络都在运行 iptables。我认为将我的 LAN 放在 Linux 网关/防火墙后面更容易,所以我在我的路由器和 LAN 之间放置了一台电脑(带 Fedora,没有 gui)并配置了 iptables。这里没问题,INPUT 只允许 dns 和 http(和一些本地的东西),转发工作正常:局域网连接到互联网。
But my question is: does FORWARD allows all from the outside, or only the ports I configured with INPUT? Do FORWARD and INPUT work together or are they separate?
但我的问题是:FORWARD 是否允许所有来自外部的端口,或者仅允许我使用 INPUT 配置的端口?FORWARD 和 INPUT 是一起工作还是分开?
This is my iptables:
这是我的 iptables:
*nat
:PREROUTING ACCEPT [16:1336]
:INPUT ACCEPT [14:840]
:OUTPUT ACCEPT [30:2116]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o p1p1 -j MASQUERADE
COMMIT
# Completed on Tue Oct 16 09:55:31 2012
# Generated by iptables-save v1.4.14 on Tue Oct 16 09:55:31 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [91:9888]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p UDP --dport 53 -j ACCEPT
-A INPUT -p TCP --dport 53 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp -m multiport --dports 20,21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp -m multiport --dports 20,21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp -m tcp --dport 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp -m tcp --dport 5000:5100 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i p1p1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.2.0/24 -i p3p1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i p1p1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i p1p1 -p tcp -m multiport --dports 20,21,443 -j DROP
-A INPUT -i p1p1 -p tcp --dport 5000:5100 -j DROP
-A INPUT -i p1p1 -p icmp -m icmp --icmp-type 8 -j DROP
-A FORWARD -s 192.168.2.0/24 -j ACCEPT
-A FORWARD -d 192.168.2.0/24 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A OUTPUT -j LOG --log-prefix "denied out: "
COMMIT
p1p1 (.1.x) is my external nic, p3p1 (.2.x) is internal.
p1p1 (.1.x) 是我的外部网卡,p3p1 (.2.x) 是内部网卡。
回答by John Kugelman
INPUT, FORWARD, and OUTPUT are separate. A packet will only hit one of the three chains.
INPUT、FORWARD 和 OUTPUT 是分开的。一个数据包只会命中三个链中的一个。
If the destination is tothis server, it hits the INPUT chain. If its source is fromthis server, it hits OUTPUT. If its source and destination are both other machines—it's being routed throughthe server—then it hits the FORWARD chain.
如果目的地是到这个服务器,它就会命中 INPUT 链。如果它的来源来自这个服务器,它会点击 OUTPUT。如果它的源和目标都是其他机器——它正在通过服务器路由——那么它就会命中 FORWARD 链。
回答by Samuel Phan
RedHat has a great doc about iptables(a little bit long), but the subject to cover is complex and there are so many different use cases that I don't see how to avoid it.
RedHat 有一个关于 iptables的很棒的文档(有点长),但是要涵盖的主题很复杂,而且有很多不同的用例,我不知道如何避免它。
Here is the chapter about FORWARD and NAT Rules. As it states:
这是有关FORWARD 和 NAT 规则的章节。正如它所说:
For example, if you want to forward incoming HTTP requeststo your dedicated Apache HTTP Server at 172.31.0.23, use the following command as the root user:
例如,如果要将传入的 HTTP 请求转发到位于 172.31.0.23 的专用Apache HTTP 服务器,请以root 用户身份使用以下命令:
~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80
Here is what happens:
这是发生的事情:
- your linux gateway receives a packet from your router. The packet header has:
- source:
x.x.x.x:y
(sender IP from the internet & source port used for packet transmission) - destination:
192.168.1.1:80
(assuming your linux gateway IP on external NIC, iep1p1
)
- source:
- your linux gateway applies the PREROUTINGchain to find a match. Assuming that you have typed what's above, the packet matches the ruleand then calls (jumps
-j
) to the DNAT function(Destination Network Address Translation) which changes the destination of the packet headerfrom the initial192.168.1.1:80
to172.31.0.23:80
. - then, the packet arrives to the Routing Decision. The packet destination is now
172.31.0.23:80
.- Your linux gateway asks itself: Is it for me (
192.168.1.1:80
) ? No, so I won't sendit to the INPUTchain. - => I'll send it to the FORWARDchain.
- Your linux gateway asks itself: Is it for me (
- since you have set the rules to FORWARD all on your local network(table
filter
chainFORWARD
), the packet should be forwarded correctly to your local Apache HTTP Server (for example).
- 您的 linux 网关从您的路由器接收数据包。包头有:
- 来源:(
x.x.x.x:y
来自互联网的发件人IP和用于数据包传输的源端口) - 目的地:(
192.168.1.1:80
假设您的 linux 网关 IP 在外部 NIC 上,即p1p1
)
- 来源:(
- 您的 linux 网关应用PREROUTING链来查找匹配项。假设您输入了上面的内容,数据包匹配规则,然后调用(跳转
-j
)到DNAT 函数(目标网络地址转换),它将数据包标头的目标从初始192.168.1.1:80
更改为172.31.0.23:80
。 - 然后,数据包到达路由决策。数据包目的地现在是
172.31.0.23:80
。- 您的 linux 网关会问自己:它适合我 (
192.168.1.1:80
) 吗?不,所以我不会将它发送到INPUT链。 - => 我会将它发送到FORWARD链。
- 您的 linux 网关会问自己:它适合我 (
- 由于您已在本地网络(
filter
表链FORWARD
)上将规则设置为FORWARD all,因此数据包应正确转发到您的本地 Apache HTTP 服务器(例如)。
Hope it'll help to understand a little bit more how internal routing works with iptables.
希望它有助于更多地了解内部路由如何与 iptables 一起工作。