4种过滤规则:invalid established new related
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -j ACCEPT
1、禁用连接追踪(禁用连接追踪,不能使用NAT模块)
iptables -t raw -A PREROUTING -p tcp -j NOTRACK
iptables -t raw -A OUTPUT -p tcp -j NOTRACK
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -j ACCEPT
2、设置连接追踪的数量
image.png
image.png
image.png
3、不要禁用icmp,使用部分禁用
image.png
4、源地址转换
sysctl -w net.ipv4.ip_forward=1
iptables -t filter -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to ip
image.png
image.png
5、目的地址转换
iptables -t nat -A PREROUTING -d ip -p tcp -m tcp --dport 1521 -j DNAT --to-destination xx:1521
iptables -t nat -A POSTROUTING -d ip -p tcp -m tcp --dport 1521 -j SNAT --to-source ip
image.png
6\ netfilter:A:prerouting ->input-output/forward->postrouting
nat:prerouting - forward -postrouting
not nat:prerouting -input -output-postrouting
table:raw,mangle,nat,filter
image.png
image.png
image.png
image.png
MTU:最大传输单元
image.png
网友评论