Linux 转发网卡流量到另一网卡的 iptables 设置

欲将网卡 tun0 的流量转发到网卡 eth0, 那么我们可以设置 iptables 的 nat 转发。

设置 iptables

设置 nat 转发

将来自 10.8.0.0/24 网段的流量转发到 eth0 中,插入 nat 表的 POSTROUTING chain 中,

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

设置 FORWARD

允许从 tun0 网卡到 eth0 的转发,允许到 tun0 的转发,插入到 filter 表的 FORWARD chain 中。

iptables -I FORWARD 1 -i tun0 -o eth0 -j ACCEPT
iptables -I FORWARD 1 -i eth0 -o tun0 -j ACCEPT

查看 iptables 设置

查看 FORWARD

iptables -vL FORWARD --line-numbers

查看 POSTROUTING

iptables -t nat -vnL POSTROUTING --line-numbers

附录:iptables 用法参考

Targets

iptables 内置 4 个可选 targets,扩展模块可以提供其他。(内容摘自《Linux iptables Pocket Reference》by Gregor N. Purdy. Copyright © 2004)

TargetDescription
ACCEPTLet the packet through to the next stage of processing. Stop traversing the current chain, and start at the next stage shown in Figures 1 through 3 (and Tables 4 through 7).
DROPDiscontinue processing the packet completely. Do not check it against any other rules, chains, or tables. If you want to provide some feedback to the sender, use the REJECT target extension.
QUEUESend the packet to userspace (i.e. code not in the kernel). See the libipq manpage for more information.
RETURNFrom a rule in a user-defined chain, discontinue processing this chain, and resume traversing the calling chain at the rule following the one that had this chain as its target. From a rule in a built-in chain, discontinue processing the packet and apply the chain’s policy to it. See the previous section “Chains” for more information about chain policies.

Tables

iptables 有三张内置的表:filter, mangle, 及 nat

TableDescription
natUsed with connection tracking to redirect connections for network address translation; typically based on source or destination addresses. Its built-in chains are: OUTPUT, POSTROUTING, and PREROUTING.
filterUsed to set policies for the type of traffic allowed into, through, and out of the computer. Unless you refer to a different table explicitly, iptables operate on chains within this table by default. Its built-in chains are: FORWARD, INPUT, and OUTPUT.
mangleUsed for specialized packet alteration, such as stripping off IP options (as with the IPV4OPTSSTRIP target extension). Its built-in chains are: FORWARD, INPUT, OUTPUT, POSTROUTING, and PREROUTING.

提示:默认表为 filter, 如果你在 iptables 命令中不特别显式指定一张表,则视作 fitler

推荐阅读

关于本文如您有任何想法和意见,欢迎与我们联系,邮箱地址zhi@uqugu.com
您对本文有什么看法,喜欢或者不喜欢都可以发表意见。