Linux iptables

开通ip转发设置
vi /etc/sysctl.conf
将net.ipv4.ip_forward=0更改为net.ipv4.ip_forward=1
或
# echo 1 > /proc/sys/net/ipv4/ip_forward 

手动设置转发命令
iptables -t nat -A PREROUTING -d 192.168.116.128 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.116.130:80
#将访问本机（116.128）的80端口映射至116.130的80端口上
#如果端口是在本转之间转发，以下的命令可以忽略
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.116.128
iptables -A FORWARD -s 192.168.116.130/255.255.255.0 -j ACCEPT


常用iptables命令
查看
iptables -L --line-number
iptables -t nat -L --line-number
删除
iptables -D INPUT ${line-number}(如不写line number,则会默认为1)
iptables -t nat -D PREROUTING ${line-number}(如不写line number,则会默认为1)

/etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 192.168.116.128/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.116.130:80 #将访问本机（116.128）的80端口映射至116.130的80端口上
-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.116.128#与上面配使用，此为回路配置
COMMIT
# Completed on Thu Aug 11 05:48:11 2016
# Generated by iptables-save v1.4.7 on Thu Aug 11 05:48:11 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#只允许38.100进行ping
-A INPUT -s 192.168.38.100 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -s 192.168.38.100 -p icmp -m icmp --icmp-type 8 -j ACCEPT
#禁ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 0 -j DROP

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#允许22端口
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#允许80端口
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#只允许211.123.16.0/24网段访问99端口
-A INPUT -s 211.123.16.0/24 -p tcp -m tcp --dport 99 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -s 192.168.116.130/255.255.255.0 -j ACCEPT #与上面的端口映身配合使用如果你有下面一行代码的话，如没有可去除本行代码.
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT