欲将网卡 tun0 的流量转发到网卡 eth0, 那么我们可以设置 iptables 的 nat 转发。
设置 iptables
设置 nat 转发
将来自 10.8.0.0/24 网段的流量转发到 eth0 中,插入 nat 表的 POSTROUTING chain 中,
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
设置 FORWARD
允许从 tun0 网卡到 eth0 的转发,允许到 tun0 的转发,插入到 filter 表的 FORWARD chain 中。
iptables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT
查看 iptables 设置
查看 FORWARD
iptables -vL FORWARD --line-numbers
查看 POSTROUTING
iptables -t nat -vnL POSTROUTING --line-numbers
附录:iptables 用法参考
Targets
iptables 内置 4 个可选 targets,扩展模块可以提供其他。(内容摘自《Linux iptables Pocket Reference》by Gregor N. Purdy. Copyright © 2004)
| Target | Description |
|---|---|
| ACCEPT | Let the packet through to the next stage of processing. Stop traversing the current chain, and start at the next stage shown in Figures 1 through 3 (and Tables 4 through 7). |
| DROP | Discontinue processing the packet completely. Do not check it against any other rules, chains, or tables. If you want to provide some feedback to the sender, use the REJECT target extension. |
| QUEUE | Send the packet to userspace (i.e. code not in the kernel). See the libipq manpage for more information. |
| RETURN | From a rule in a user-defined chain, discontinue processing this chain, and resume traversing the calling chain at the rule following the one that had this chain as its target. From a rule in a built-in chain, discontinue processing the packet and apply the chain’s policy to it. See the previous section “Chains” for more information about chain policies. |
Tables
iptables 有三张内置的表:filter, mangle, 及 nat。
| Table | Description |
|---|---|
nat | Used with connection tracking to redirect connections for network address translation; typically based on source or destination addresses. Its built-in chains are: OUTPUT, POSTROUTING, and PREROUTING. |
filter | Used to set policies for the type of traffic allowed into, through, and out of the computer. Unless you refer to a different table explicitly, iptables operate on chains within this table by default. Its built-in chains are: FORWARD, INPUT, and OUTPUT. |
mangle | Used for specialized packet alteration, such as stripping off IP options (as with the IPV4OPTSSTRIP target extension). Its built-in chains are: FORWARD, INPUT, OUTPUT, POSTROUTING, and PREROUTING. |
提示:默认表为 filter, 如果你在 iptables 命令中不特别显式指定一张表,则视作 fitler。
