Last active
June 19, 2020 07:22
-
-
Save dinhanhhuy/c2b4befb3b10572b5f8426bf7015ca38 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
0) | |
$ ip addr | |
``` | |
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 | |
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 | |
inet 127.0.0.1/8 scope host lo | |
valid_lft forever preferred_lft forever | |
inet6 ::1/128 scope host | |
valid_lft forever preferred_lft forever | |
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 | |
link/ether b4:2e:99:ae:b1:90 brd ff:ff:ff:ff:ff:ff | |
inet 192.168.100.89/24 brd 192.168.100.255 scope global dynamic noprefixroute eno1 | |
valid_lft 674949sec preferred_lft 674949sec | |
inet6 fe80::dcfd:a026:7749:ac6b/64 scope link noprefixroute | |
valid_lft forever preferred_lft forever | |
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 | |
link/ether 52:54:00:55:09:34 brd ff:ff:ff:ff:ff:ff | |
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 | |
valid_lft forever preferred_lft forever | |
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000 | |
link/ether 52:54:00:55:09:34 brd ff:ff:ff:ff:ff:ff | |
5: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default | |
link/ether 02:42:50:70:9c:52 brd ff:ff:ff:ff:ff:ff | |
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 | |
valid_lft forever preferred_lft forever | |
inet6 fe80::42:50ff:fe70:9c52/64 scope link | |
valid_lft forever preferred_lft forever | |
9: vethf470f7e@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default | |
link/ether 06:61:7b:cb:3f:70 brd ff:ff:ff:ff:ff:ff link-netnsid 0 | |
inet6 fe80::461:7bff:fecb:3f70/64 scope link | |
valid_lft forever preferred_lft forever | |
11: veth92e3a64@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default | |
link/ether 5e:c4:86:1a:cb:e6 brd ff:ff:ff:ff:ff:ff link-netnsid 1 | |
inet6 fe80::5cc4:86ff:fe1a:cbe6/64 scope link | |
valid_lft forever preferred_lft forever | |
``` | |
1) | |
$ iptables -t nat -A PREROUTING -p tcp --dport 1234 \ | |
-i eno1 -j DNAT --to 172.217.174.206:443 | |
2) | |
## (option) show rule: | |
## (option) sudo iptables -t nat -v -L PREROUTING -n --line-number | |
➜ .ssh iptables -t nat -v -L PREROUTING -n --line-number | |
Chain PREROUTING (policy ACCEPT 7028 packets, 563K bytes) | |
num pkts bytes target prot opt in out source destination | |
1 0 0 DNAT tcp -- eno1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:172.217.174.206:443 | |
3) | |
$ iptables -A FORWARD -d 172.217.174.206 -j ACCEPT | |
4) | |
$ iptables -t nat -A POSTROUTING -d 172.217.174.206 -o eno1 -j MASQUERADE |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
➜ dahuy service iptables status
Redirecting to /bin/systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Fri 2020-06-19 13:16:38 +07; 59min ago
Process: 25153 ExecReload=/usr/libexec/iptables/iptables.init reload (code=exited, status=0/SUCCESS)
Process: 20584 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 20584 (code=exited, status=0/SUCCESS)
Jun 19 13:16:38 localhost.localhost systemd[1]: Starting IPv4 firewall with iptables...
Jun 19 13:16:38 localhost.localhost iptables.init[20584]: iptables: Applying firewall rules: [ OK ]
Jun 19 13:16:38 localhost.localhost systemd[1]: Started IPv4 firewall with iptables.
Jun 19 13:59:42 localhost.localhost systemd[1]: Reloading IPv4 firewall with iptables.
Jun 19 13:59:42 localhost.localhost iptables.init[25153]: iptables: Trying to reload firewall rules: [ OK ]
Jun 19 13:59:42 localhost.localhost systemd[1]: Reloaded IPv4 firewall with iptables.
➜ dahuy iptables -t nat -v -L PREROUTING -n --line-number
Chain PREROUTING (policy ACCEPT 10935 packets, 874K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DNAT tcp -- eno1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1234 to:172.217.174.206:443
➜ dahuy iptables -t nat -v -L POSTROUTING -n --line-number
Chain POSTROUTING (policy ACCEPT 1777 packets, 644K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE all -- * eno1 0.0.0.0/0 172.217.174.206
➜ dahuy iptables -v -L FORWARD -n --line-number
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- * * 0.0.0.0/0 172.217.174.206
➜ dahuy curl -k https://172.217.174.206:443
➜ dahuy curl -k https://127.0.0.1:1234
curl: (7) Failed to connect to 127.0.0.1 port 1234: Connection refused