لطفا منتظر باشید ...
Forwarding
Ports with iptables
There are situations in which network
activity directed at one computer should be handled by another computer, or
possibly another port on the same computer. For these tasks, iptables lets
you implement port forwarding, which echoes
incoming network traffic to another computer.
When to Forward Ports
Port forwarding can be an extremely useful
tool in certain situations, including the following: You move a server from one computer to another,
but your DNS entries have not yet been properly updated. You can also use port
forwarding to temporarily make such a change. You want a server to respond to multiple ports
on a single computer. You can set up the system to forward one port to another
on the same system. Some servers can listen directly to multiple ports, though,
which is often a simpler approach. You want to run an externally accessible server
within a NAT- protected network. You can set up the NAT router to forward
traffic directed at one of its external ports to an internal system.This last possibility is a particularly
common one when running NAT. Note that this behavior degrades the security
advantages of NAT, because you're effectively exposing an internal system (or
at least, one of its ports) to the outside. You can also run only one internal
server of a given type on its usual port in this way, at least with the IP
masquerading form of NAT. (If your NAT router has two external addresses, you
can forward ports on both addresses to different internal systems.) If you want
to make two internal servers of the same type (such as two Web servers)
available to the outside, you'll have to run one on a nonstandard port or
obtain some other external IP address.
Setting iptables Port Forwarding Options
There are several different ways to enable
port forwarding on a Linux system that provides NAT functions. One is to do it
with iptables , using its NAT functionality. To do so, you can type a command similar
to the following: # iptables -t nat -A PREROUTING -p tcp -i external-interface \ --destination-port port-num -j DNAT --to dest-addr:port-num
Important features of this command include: The command manipulates the NAT table ( -t nat ). The -A PREROUTING parameter
specifies that changes to packets are to be made prior to routing proper. The
basic NAT features operate post-routing, but port forwarding happens prior to
routing. The command forwards TCP ports ( -p tcp ). The rule applies to packets directed at the
system's external network interface ( -i external-interface ) on the specified port ( destination-port port-num ). The -j DNAT parameter tells
the system that it's performing NAT on the destination (DNAT) rather than the
source (SNAT) address. The final parameter, --to dest-addr :port-num , specifies that the packets should be directed to port port-num on dest-addr . For instance, dest-addr might be 192.168.9.33 and port-num might be 80 . Note that the port-num used with --to need not
be the same as the port-num used with --destination-port .You can enter several port forwarding
commandsas many as necessary to forward any ports that handle servers you want
to run internally. As with the basic NAT or firewall configuration, you can
create entries in a startup script to run these commands whenever your system
starts. You can then leave the configuration alone.NOTE
align=left border=0> There are other tools that can provide port
forwarding functionality. In particular, the xinetd super server
includes port forwarding features. Because xinetd is a user-space
program, though, it's less efficient at port forwarding than is the kernel as
configured through iptables .
