Created
January 26, 2022 12:29
-
-
Save kerus1024/d1807d65bc6904a690becbab78b7f93f to your computer and use it in GitHub Desktop.
Linux iptables nat port forwarding with nat hairpinning
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # WARNING: | |
| # 방화벽 기능으로 주로 사용하는 filter 테이블의 INPUT 체인보다 PREROUTING이 상위 체인이기 때문에 포워딩 룰에 대해서 방화벽의 룰이 무효합니다. | |
| # mangle 테이블을 사용하거나 raw 테이블을 사용해야합니다. | |
| # | |
| WAN_INTERFACE=eth0 | |
| WAN_IPADDRESS=198.51.100.35 | |
| WAN_INBOUND_PORT=63389 | |
| LAN_NETWORK=192.168.0.0/16 | |
| LAN_REAL_IPADDRESS=192.168.201.1 | |
| LAN_REAL_SERVER_PROTOCOL=tcp | |
| LAN_REAL_PORT=3389 | |
| # | |
| # Port Forwarding | |
| iptables -t nat -A PREROUTING \ | |
| -i $WAN_INTERFACE \ | |
| -p $LAN_REAL_SERVER_PROTOCOL -m $LAN_REAL_SERVER_PROTOCOL --dport $WAN_INBOUND_PORT \ | |
| -j DNAT --to-destination $LAN_REAL_IPADDRESS:$LAN_REAL_PORT | |
| # | |
| # NAT Reflection | |
| # 로컬 네트워크에서 들어온 목적지 주소가 WAN IP인 패킷은 DNAT 처리합니다. | |
| iptables -t nat -A PREROUTING \ | |
| -s $LAN_NETWORK -d $WAN_IPADDRESS \ | |
| -p $LAN_REAL_SERVER_PROTOCOL -m $LAN_REAL_SERVER_PROTOCOL --dport $WAN_INBOUND_PORT \ | |
| -j DNAT --to-destination $LAN_REAL_IPADDRESS:$LAN_REAL_PORT | |
| # DNAT 처리한 패킷이 올바른 소스 IP를 가지도록 주소를 변조시키는 MASQUERADE 처리합니다. | |
| iptables -t nat -A POSTROUTING \ | |
| -s $LAN_NETWORK -d $LAN_REAL_IPADDRESS \ | |
| -p $LAN_REAL_SERVER_PROTOCOL -m $LAN_REAL_SERVER_PROTOCOL --dport $LAN_REAL_PORT -j MASQUERADE | |
| # FORWARD POLICY | |
| # iptables -A FORWARD ~~ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment