Jump to Navigation

282 - NAT configuration on iptables

Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel.
Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches.
This is called a 'target', which may be a jump to a user-defined chain in the same table.

1. Configure NAT PREROUTING by command.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumbe
iptables -t nat -A PREROUTING -i eth0 -p udp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumbe
iptables -t nat -I PREROUTING --src $SRC_IP_MASK --dst $DST_IP -p tcp --dport $portNumber -j REDIRECT --to-ports $rediectPort

-t, --table :

This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading,
an attempt will be made to load the appropriate module for that table.

nat :

This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING
(for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING
(for altering packets as they are about to go out). if it is not already there.

-A, --append chain rule-specification :

Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address,
a rule will be added for each possible address combination.

-I, --insert chain [rulenum] rule-specification :

Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain.
This is also the default if no rule number is specified.

-i, --in-interface name :

Name of an interface via which a packet was received (only for packets entering the INPUT, FORWARD and PREROUTING chains).
When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface
which begins with this name will match. If this option is omitted, any interface name will match.

-s, --source address[/mask][,...] :

Source specification. Address can be either a network name, a hostname, a network IP address (with /mask), or a plain IP address.
Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query
such as DNS is a really bad idea. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask.
Thus, a mask of 24 is equivalent to A "!" argument before the address specification inverts the sense of the address. The flag --src is an alias
for this option.

-p, --protocol protocol :

The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, udplite, icmp, esp, ah, sctp or all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test.
The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted.

--destination-port,--dport port[:port] :

-d, --destination address[/mask][,...] :

Destination specification. See the description of the -s (source) flag for a detailed description of the syntax. The flag --dst is an alias for this option.

-j, --jump target :

This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in),
one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted
in a rule (and -g is not used), then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented.


This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains.
It redirects the packet to the machine itself by changing the destination IP to the primary address of the incoming interface (locally-generated packets
are mapped to the address).

--to-ports port[-port] :

This specifies a destination port or range of ports to use: without this, the destination port is never altered. This is only valid if the rule also specifies -p tcp or -p udp.

Example :

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING --src 0/0 --dst -p tcp --dport 80 -j REDIRECT --to-ports 8080

iptables-save  (You should save the change.)

2. Check the prerouting

#  iptables -t nat -L -n -v

Chain PREROUTING (policy ACCEPT 1112 packets, 171K bytes)
 pkts bytes target     prot opt in     out   source      destination
    2   104 REDIRECT   tcp  --  eth0   *    tcp dpt:80 redir ports 8080

-L, --list [chain] :
List all rules in the selected chain. If no chain is selected, all chains are listed.
Like every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by

-n, --numeric :
Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the program will try to display them as host names,
network names, or services (whenever applicable).

-v, --verbose :
Verbose output. This option makes the list command show the interface name, the rule options (if any), and the TOS masks.

3. Edit iptables file

# vi /etc/sysconfig/iptables


-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination




Main menu 2

Story | by Dr. Radut