-
-
Save dinhanhhuy/c2b4befb3b10572b5f8426bf7015ca38 to your computer and use it in GitHub Desktop.
| 0) | |
| $ ip addr | |
| ``` | |
| 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 | |
| link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | |
| inet 127.0.0.1/8 scope host lo | |
| valid_lft forever preferred_lft forever | |
| inet6 ::1/128 scope host | |
| valid_lft forever preferred_lft forever | |
| 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 | |
| link/ether b4:2e:99:ae:b1:90 brd ff:ff:ff:ff:ff:ff | |
| inet 192.168.100.89/24 brd 192.168.100.255 scope global dynamic noprefixroute eno1 | |
| valid_lft 674949sec preferred_lft 674949sec | |
| inet6 fe80::dcfd:a026:7749:ac6b/64 scope link noprefixroute | |
| valid_lft forever preferred_lft forever | |
| 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 | |
| link/ether 52:54:00:55:09:34 brd ff:ff:ff:ff:ff:ff | |
| inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 | |
| valid_lft forever preferred_lft forever | |
| 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000 | |
| link/ether 52:54:00:55:09:34 brd ff:ff:ff:ff:ff:ff | |
| 5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default | |
| link/ether 02:42:50:70:9c:52 brd ff:ff:ff:ff:ff:ff | |
| inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 | |
| valid_lft forever preferred_lft forever | |
| inet6 fe80::42:50ff:fe70:9c52/64 scope link | |
| valid_lft forever preferred_lft forever | |
| 9: vethf470f7e@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default | |
| link/ether 06:61:7b:cb:3f:70 brd ff:ff:ff:ff:ff:ff link-netnsid 0 | |
| inet6 fe80::461:7bff:fecb:3f70/64 scope link | |
| valid_lft forever preferred_lft forever | |
| 11: veth92e3a64@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default | |
| link/ether 5e:c4:86:1a:cb:e6 brd ff:ff:ff:ff:ff:ff link-netnsid 1 | |
| inet6 fe80::5cc4:86ff:fe1a:cbe6/64 scope link | |
| valid_lft forever preferred_lft forever | |
| ``` | |
| 1) | |
| $ iptables -t nat -A PREROUTING -p tcp --dport 1234 \ | |
| -i eno1 -j DNAT --to 172.217.174.206:443 | |
| 2) | |
| ## (option) show rule: | |
| ## (option) sudo iptables -t nat -v -L PREROUTING -n --line-number | |
| ➜ .ssh iptables -t nat -v -L PREROUTING -n --line-number | |
| Chain PREROUTING (policy ACCEPT 7028 packets, 563K bytes) | |
| num pkts bytes target prot opt in out source destination | |
| 1 0 0 DNAT tcp -- eno1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:172.217.174.206:443 | |
| 3) | |
| $ iptables -A FORWARD -d 172.217.174.206 -j ACCEPT | |
| 4) | |
| $ iptables -t nat -A POSTROUTING -d 172.217.174.206 -o eno1 -j MASQUERADE |
➜ dahuy service iptables status
Redirecting to /bin/systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Fri 2020-06-19 13:16:38 +07; 59min ago
Process: 25153 ExecReload=/usr/libexec/iptables/iptables.init reload (code=exited, status=0/SUCCESS)
Process: 20584 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 20584 (code=exited, status=0/SUCCESS)
Jun 19 13:16:38 localhost.localhost systemd[1]: Starting IPv4 firewall with iptables...
Jun 19 13:16:38 localhost.localhost iptables.init[20584]: iptables: Applying firewall rules: [ OK ]
Jun 19 13:16:38 localhost.localhost systemd[1]: Started IPv4 firewall with iptables.
Jun 19 13:59:42 localhost.localhost systemd[1]: Reloading IPv4 firewall with iptables.
Jun 19 13:59:42 localhost.localhost iptables.init[25153]: iptables: Trying to reload firewall rules: [ OK ]
Jun 19 13:59:42 localhost.localhost systemd[1]: Reloaded IPv4 firewall with iptables.
➜ dahuy iptables -t nat -v -L PREROUTING -n --line-number
Chain PREROUTING (policy ACCEPT 10935 packets, 874K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT tcp -- eno1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:172.217.174.206:443
➜ dahuy iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 1777 packets, 644K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE all -- * eno1 0.0.0.0/0 172.217.174.206
➜ dahuy iptables -v -L FORWARD -n --line-number
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 172.217.174.206
➜ dahuy curl -k https://172.217.174.206:443
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
➜ dahuy curl -k https://127.0.0.1:1234
curl: (7) Failed to connect to 127.0.0.1 port 1234: Connection refused
➜ .ssh iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination