iptables 入向端口转发

DNAT：目的地址转换，将指定端口的入向过来的数据包里的目标IP和端口设置为后向服务器IP和端口，只能用在nat表的PREROUTING和OUTPUT链，--to-destination选项

SNAT：源地址转换，将目标地址为后向服务器IP的出向数据包里的源地址修改为转发服务器IP地址，后向服务器是不能直接回包到客户端的，所以需要改为转发服务器的P地址。
只能用在nat表的POSTROUTING链，--to-source选项

1、通过PREROUTING链，将访问本机的7000端口入向数据包的目标地址修改为172.28.17.220的8078端口

[root@localip hlcc_v11.1104_centos7]# iptables -t nat -A PREROUTING -p tcp --dport 7000 -j DNAT --to 172.28.17.220:8078
[root@localip hlcc_v11.1104_centos7]# iptables -t nat -nL --line      
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    DNAT       tcp  --  0.0.0.0/0            172.28.17.230        tcp dpt:7000 to:172.28.17.220:8078

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
[root@localip hlcc_v11.1104_centos7]# 

2、通过POSTROUTING链，将目标地址为172.28.17.220:8078端口出向数据包的源地址修改为转发服务器IP

[root@localip hlcc_v11.1104_centos7]# iptables -t nat -A POSTROUTING -d 172.28.17.220 -p tcp --dport 8078 -j SNAT --to 172.28.17.230
[root@localip hlcc_v11.1104_centos7]# iptables -t nat -nL --line
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    DNAT       tcp  --  0.0.0.0/0            172.28.17.230        tcp dpt:7000 to:172.28.17.220:80

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    SNAT       tcp  --  0.0.0.0/0            172.28.17.220        tcp dpt:8078 to:172.28.17.230
[root@localip hlcc_v11.1104_centos7]# 

3、保存规则

iptables-save>/etc/iptable.rule