iptables:复制/转发端口
问题描述:
我试图从阻塞此端口的网络连接到MySQL(端口3306)。但还有另一个端口110打开,我可以使用这种情况。我为其他应用程序使用MySQL,所以我不能只是简单地更改端口。iptables:复制/转发端口
我现在试图通过iptables设置端口转发。准确地说,我想在没有阻止3306的情况下将110转发到3306.
我花了很多时间使用Google搜索,但是我无法正常工作。我也有点担心把我锁起来。你能给我一个提示吗?
非常感谢!
#~ iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `INPUT INVALID '
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP all -- anywhere anywhere state INVALID
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
MY_DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:www
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssmtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nntp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:mysql
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:6060
MY_REJECT all -- anywhere anywhere
MY_REJECT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `OUTPUT INVALID '
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-request
MY_REJECT all -- anywhere anywhere
Chain MY_DROP (7 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `PORTSCAN DROP '
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `PORTSCAN DROP '
DROP all -- anywhere anywhere
Chain MY_REJECT (3 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT TCP '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
LOG tcp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT TCP '
LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT UDP '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
LOG udp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT UDP '
DROP icmp -- anywhere anywhere
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT OTHER '
LOG icmp -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `DROP ICMP '
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
DROP icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 2/sec burst 5 LOG level warning prefix `REJECT OTHER '
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
答
这可能工作,没有测试过它。
iptables -t nat -A PREROUTING -p tcp --dport 110 -j REDIRECT --to-port 3306
答
当转发上使用iptables Ubuntu的端口,你必须:
- 使你的防火墙设置的备份
sudo iptables-save > iptables.backup
- 确保入境口岸是打开
sudo ufw allow 110/tcp
- 在防火墙中添加PREROUTING规则
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j REDIRECT --to-port 3306
注意使用-i eth0
。这将网络eth0上的端口110路由到3306。要检查机器的所有连接,请使用ifconfig
。
如果您的机器连接到多个网络,则必须使用-i <network>
或它不起作用!
- 如果你陷入困境的东西了,你可以清洁NAT路由表
sudo iptables -F -t nat
或恢复iptables的
sudo iptables-restore < iptables.backup
谢谢!这工作! – marekventur 2011-05-23 16:41:39