>#не знаю, возможно, для "простого" port-forwarding-а эта строка не нужна -->
>-A FORWARD -m state --state RELATED -j ACCEPT
>====>8===Как коллега ;-) в соседнем ответе заметил, там ещё где-то %) ESTABLISHED нужно пропускать - для пакетов идущих "обратоно" в частности.
>Читайте также главы из книги "Портовый форвардинг, как он ест", того же
>автора:
>https://www.opennet.ru/openforum/vsluhforumID10/3717.html#6
Ниже - как бы оно выглядело с использованием firehol, sorry, :( если много...
-----# cat 1port-forward
version 5
INIP1=192.168.0.246; P80=80 #service=http
MY0=111.222.111.222; P84=8004
#адрес шлюза на eth0:
MY1=192.168.0.1
dnat to "${INIP1}:${P80}" inface "eth0" proto tcp dport "${P84}"
snat to "$MY0" outface "eth1" dst "${INIP1}" dport "$P80"
router prtfwd dst "${INIP1}"
server "http" accept
-----# firehol 1port-forward debug
FireHOL: Saving your old firewall to a temporary file: OK
FireHOL: Processing file 1port-forward: OK
#!/bin/sh
load_kernel_module ip_tables
load_kernel_module ip_conntrack
# Find all tables supported
tables=`/bin/cat /proc/net/ip_tables_names`
for t in ${tables}
do
# Reset/empty this table.
/sbin/iptables -t "${t}" -F >/tmp/.firehol-tmp-17938-5721-1603/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -F
/sbin/iptables -t "${t}" -X >/tmp/.firehol-tmp-17938-5721-1603/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -X
/sbin/iptables -t "${t}" -Z >/tmp/.firehol-tmp-17938-5721-1603/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -Z
# Find all default chains in this table.
chains=`/sbin/iptables -t "${t}" -nL | /bin/grep "^Chain " | /usr/bin/cut -d ' ' -f 2`
# If this is the 'filter' table, remember the default chains.
# This will be used at the end to make it DROP all packets.
test "${t}" = "filter" && firehol_filter_chains="${chains}"
# Set the policy to ACCEPT on all default chains.
for c in ${chains}
do
/sbin/iptables -t "${t}" -P "${c}" ACCEPT >/tmp/.firehol-tmp-17938-5721-1603/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -P "${c}" ACCEPT
done
done
/sbin/iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}" >/tmp/.firehol-tmp-17938-5721-1603/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}"
/sbin/iptables -t filter -P OUTPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}" >/tmp/.firehol-tmp-17938-5721-1603/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P OUTPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}"
/sbin/iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}" >/tmp/.firehol-tmp-17938-5721-1603/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}"
# Accept everything in/out the loopback device.
if [ "${FIREHOL_TRUST_LOOPBACK}" = "1" ]
then
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
fi
# Drop all invalid packets.
# Netfilter HOWTO suggests to DROP all INVALID packets.
if [ "${FIREHOL_DROP_INVALID}" = "1" ]
then
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
fi
# === CONFIGURATION STATEMENT =================================================
# CONF:INIT>>> version 5
# === CONFIGURATION STATEMENT =================================================
# CONF: 8>>> dnat to 192.168.0.246:80 inface eth0 proto tcp dport 8004
# INFO>>> Creating chain 'nat.1' under 'PREROUTING' in table 'nat'
/sbin/iptables -t nat -N nat.1
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8004 -j nat.1
# INFO>>> Taking the NAT action: 'dnat'
/sbin/iptables -t nat -A nat.1 -p tcp -j DNAT --to-destination 192.168.0.246:80
# === CONFIGURATION STATEMENT =================================================
# CONF: 9>>> snat to 111.222.111.222 outface eth1 dst 192.168.0.246 dport 80
# INFO>>> Creating chain 'nat.2' under 'POSTROUTING' in table 'nat'
/sbin/iptables -t nat -N nat.2
/sbin/iptables -t nat -A POSTROUTING -o eth1 -d 192.168.0.246 --dport 80 -j nat.2
# INFO>>> Taking the NAT action: 'snat'
/sbin/iptables -t nat -A nat.2 -j SNAT --to-source 111.222.111.222
# === CONFIGURATION STATEMENT =================================================
# CONF: 11>>> router prtfwd dst 192.168.0.246
# INFO>>> Creating chain 'in_prtfwd' under 'FORWARD' in table 'filter'
/sbin/iptables -t filter -N in_prtfwd
/sbin/iptables -t filter -A FORWARD -d 192.168.0.246 -j in_prtfwd
# INFO>>> Creating chain 'out_prtfwd' under 'FORWARD' in table 'filter'
/sbin/iptables -t filter -N out_prtfwd
/sbin/iptables -t filter -A FORWARD -s 192.168.0.246 -j out_prtfwd
# === CONFIGURATION STATEMENT =================================================
# CONF: 12>>> server http accept
# INFO>>> Preparing for service 'http' of type 'server' under interface 'prtfwd'
# INFO>>> Creating chain 'in_prtfwd_http_s1' under 'in_prtfwd' in table 'filter'
/sbin/iptables -t filter -N in_prtfwd_http_s1
/sbin/iptables -t filter -A in_prtfwd -j in_prtfwd_http_s1
# INFO>>> Creating chain 'out_prtfwd_http_s1' under 'out_prtfwd' in table 'filter'
/sbin/iptables -t filter -N out_prtfwd_http_s1
/sbin/iptables -t filter -A out_prtfwd -j out_prtfwd_http_s1
# INFO>>> Running simple rules for server 'http'
/sbin/iptables -t filter -A in_prtfwd_http_s1 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_prtfwd_http_s1 -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# INFO>>> Finilizing router 'prtfwd'
/sbin/iptables -t filter -A in_prtfwd -m state --state RELATED -j ACCEPT
/sbin/iptables -t filter -A out_prtfwd -m state --state RELATED -j ACCEPT
# INFO>>> Finilizing firewall policies
/sbin/iptables -t filter -A INPUT -m state --state RELATED -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -m state --state RELATED -j ACCEPT
/sbin/iptables -t filter -A FORWARD -m state --state RELATED -j ACCEPT
/sbin/iptables -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=IN-unknown:
/sbin/iptables -t filter -A INPUT -j DROP
/sbin/iptables -t filter -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=OUT-unknown:
/sbin/iptables -t filter -A OUTPUT -j DROP
/sbin/iptables -t filter -A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG --log-level warning --log-prefix=PASS-unknown:
/sbin/iptables -t filter -A FORWARD -j DROP
# Make it drop everything on table 'filter'.
for c in ${firehol_filter_chains}
do
/sbin/iptables -t filter -P "${c}" DROP >/tmp/.firehol-tmp-17938-5721-1603/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P "${c}" DROP
done
/sbin/sysctl -w net.ipv4.ip_forward=1
FireHOL: Restoring old firewall: OK
-----# (cat 1port-forward ;echo "quit")|firehol explain
: firehol.sh,v 1.256 2007/05/22 22:52:53 ktsaou Exp $
(C) Copyright 2003, Costa Tsaousis <costa@tsaousis.gr>
FireHOL is distributed under GPL.
Home Page: http://firehol.sourceforge.net
--------------------------------------------------------------------------------
FireHOL controls your firewall. You should want to get updates quickly.
Subscribe (at the home page) to get notified of new releases.
--------------------------------------------------------------------------------
You can now start typing FireHOL configuration directives.
Special interactive commands: help, show, quit
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 1
# Command : version 5
# > OK <
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 2
# Command : INIP1=192.168.0.246; P80=80 #service=http
# > OK <
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 3
# Command : MY0=111.222.111.222; P84=8004
# > OK <
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 4
# Command : #адрес шлюза на eth0:
# > OK <
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 5
# Command : MY1=192.168.0.1
# > OK <
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 6
# Command : dnat to "${INIP1}:${P80}" inface "eth0" proto tcp dport "${P84}"
# Creating chain 'nat.1' under 'PREROUTING' in table 'nat'
/sbin/iptables -t nat -N nat.1
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8004 -j nat.1
# Taking the NAT action: 'dnat'
/sbin/iptables -t nat -A nat.1 -p tcp -j DNAT --to-destination 192.168.0.246:80
# > OK <
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 7
# Command : snat to "$MY0" outface "eth1" dst "${INIP1}" dport "$P80"
# Creating chain 'nat.2' under 'POSTROUTING' in table 'nat'
/sbin/iptables -t nat -N nat.2
/sbin/iptables -t nat -A POSTROUTING -o eth1 -d 192.168.0.246 --dport 80 -j nat.2
# Taking the NAT action: 'snat'
/sbin/iptables -t nat -A nat.2 -j SNAT --to-source 111.222.111.222
# > OK <
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 8
# Command : router prtfwd dst "${INIP1}"
# Creating chain 'in_prtfwd' under 'FORWARD' in table 'filter'
/sbin/iptables -t filter -N in_prtfwd
/sbin/iptables -t filter -A FORWARD -d 192.168.0.246 -j in_prtfwd
# Creating chain 'out_prtfwd' under 'FORWARD' in table 'filter'
/sbin/iptables -t filter -N out_prtfwd
/sbin/iptables -t filter -A FORWARD -s 192.168.0.246 -j out_prtfwd
# > OK <
# \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
# Cmd Line : 9
# Command : server "http" accept
# Preparing for service 'http' of type 'server' under interface 'prtfwd'
# Creating chain 'in_prtfwd_http_s1' under 'in_prtfwd' in table 'filter'
/sbin/iptables -t filter -N in_prtfwd_http_s1
/sbin/iptables -t filter -A in_prtfwd -j in_prtfwd_http_s1
# Creating chain 'out_prtfwd_http_s1' under 'out_prtfwd' in table 'filter'
/sbin/iptables -t filter -N out_prtfwd_http_s1
/sbin/iptables -t filter -A out_prtfwd -j out_prtfwd_http_s1
# Running simple rules for server 'http'
/sbin/iptables -t filter -A in_prtfwd_http_s1 -p tcp --sport 1024:65535 --dport 80 -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_prtfwd_http_s1 -p tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# > OK <
version 5
version 5
INIP1=192.168.0.246; P80=80 #service=http
MY0=111.222.111.222; P84=8004
#адрес шлюза на eth0:
MY1=192.168.0.1
dnat to "${INIP1}:${P80}" inface "eth0" proto tcp dport "${P84}"
snat to "$MY0" outface "eth1" dst "${INIP1}" dport "$P80"
router prtfwd dst "${INIP1}"
server "http" accept
-----#