2011-05-19 205 views
1

我试图从阻塞此端口的网络连接到MySQL(端口3306)。但还有另一个端口110打开,我可以使用这种情况。我为其他应用程序使用MySQL,所以我不能只是简单地更改端口。iptables:复制/转发端口

我现在试图通过iptables设置端口转发。准确地说,我想在没有阻止3306的情况下将110转发到3306.

我花了很多时间使用Google搜索,但是我无法正常工作。我也有点担心把我锁起来。你能给我一个提示吗?

非常感谢!

#~ iptables -L 
Chain INPUT (policy DROP) 
target  prot opt source    destination   
LOG  all -- anywhere    anywhere   state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `INPUT INVALID ' 
MY_DROP tcp -- anywhere    anywhere   tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
DROP  all -- anywhere    anywhere   state INVALID 
MY_DROP tcp -- anywhere    anywhere   tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
MY_DROP tcp -- anywhere    anywhere   tcp flags:FIN,RST/FIN,RST 
MY_DROP tcp -- anywhere    anywhere   tcp flags:FIN,SYN/FIN,SYN 
MY_DROP tcp -- anywhere    anywhere   tcp flags:FIN,ACK/FIN 
MY_DROP tcp -- anywhere    anywhere   tcp flags:FIN,RST/FIN,RST 
MY_DROP tcp -- anywhere    anywhere   tcp flags:FIN,ACK/FIN 
ACCEPT  all -- anywhere    anywhere    
ACCEPT  all -- anywhere    anywhere    
ACCEPT  all -- anywhere    anywhere   state RELATED,ESTABLISHED 
ACCEPT  icmp -- anywhere    anywhere   icmp destination-unreachable 
ACCEPT  icmp -- anywhere    anywhere   icmp destination-unreachable 
ACCEPT  icmp -- anywhere    anywhere   icmp source-quench 
ACCEPT  icmp -- anywhere    anywhere   icmp echo-request 
ACCEPT  icmp -- anywhere    anywhere   icmp time-exceeded 
ACCEPT  icmp -- anywhere    anywhere   icmp parameter-problem 
ACCEPT  tcp -- anywhere    anywhere   state NEW tcp dpt:www 
ACCEPT  tcp -- anywhere    anywhere   state NEW tcp dpt:https 
ACCEPT  tcp -- anywhere    anywhere   state NEW tcp dpt:smtp 
ACCEPT  tcp -- anywhere    anywhere   state NEW tcp dpt:ssmtp 
ACCEPT  tcp -- anywhere    anywhere   state NEW tcp dpt:pop3 
ACCEPT  tcp -- anywhere    anywhere   state NEW tcp dpt:pop3s 
ACCEPT  tcp -- anywhere    anywhere   state NEW tcp dpt:imap2 
ACCEPT  tcp -- anywhere    anywhere   state NEW tcp dpt:imaps 
ACCEPT  tcp -- anywhere    anywhere   state NEW tcp dpt:nntp 
ACCEPT  tcp -- anywhere    anywhere   state NEW tcp dpt:domain 
ACCEPT  udp -- anywhere    anywhere   state NEW udp dpt:domain 
ACCEPT  tcp -- anywhere    anywhere   state NEW tcp dpt:ftp 
ACCEPT  tcp -- anywhere    anywhere   state NEW tcp dpt:ssh 
ACCEPT  tcp -- anywhere    anywhere   state NEW tcp dpt:mysql 
ACCEPT  udp -- anywhere    anywhere   state NEW udp dpt:ntp 
ACCEPT  tcp -- anywhere    anywhere   state NEW tcp dpt:6060 
MY_REJECT all -- anywhere    anywhere    
MY_REJECT all -- anywhere    anywhere    

Chain FORWARD (policy DROP) 
target  prot opt source    destination   

Chain OUTPUT (policy DROP) 
target  prot opt source    destination   
LOG  all -- anywhere    anywhere   state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `OUTPUT INVALID ' 
DROP  all -- anywhere    anywhere   state INVALID 
ACCEPT  all -- anywhere    anywhere    
ACCEPT  all -- anywhere    anywhere    
ACCEPT  all -- anywhere    anywhere   state NEW,RELATED,ESTABLISHED 
ACCEPT  icmp -- anywhere    anywhere   icmp echo-reply 
ACCEPT  icmp -- anywhere    anywhere   icmp destination-unreachable 
ACCEPT  icmp -- anywhere    anywhere   icmp echo-request 
MY_REJECT all -- anywhere    anywhere    

Chain MY_DROP (7 references) 
target  prot opt source    destination   
LOG  all -- anywhere    anywhere   limit: avg 2/sec burst 5 LOG level warning prefix `PORTSCAN DROP ' 
LOG  all -- anywhere    anywhere   limit: avg 2/sec burst 5 LOG level warning prefix `PORTSCAN DROP ' 
DROP  all -- anywhere    anywhere    

Chain MY_REJECT (3 references) 
target  prot opt source    destination   
LOG  tcp -- anywhere    anywhere   limit: avg 2/sec burst 5 LOG level warning prefix `REJECT TCP ' 
REJECT  tcp -- anywhere    anywhere   reject-with tcp-reset 
LOG  tcp -- anywhere    anywhere   limit: avg 2/sec burst 5 LOG level warning prefix `REJECT TCP ' 
LOG  udp -- anywhere    anywhere   limit: avg 2/sec burst 5 LOG level warning prefix `REJECT UDP ' 
REJECT  tcp -- anywhere    anywhere   reject-with tcp-reset 
REJECT  udp -- anywhere    anywhere   reject-with icmp-port-unreachable 
LOG  udp -- anywhere    anywhere   limit: avg 2/sec burst 5 LOG level warning prefix `REJECT UDP ' 
DROP  icmp -- anywhere    anywhere    
REJECT  udp -- anywhere    anywhere   reject-with icmp-port-unreachable 
LOG  all -- anywhere    anywhere   limit: avg 2/sec burst 5 LOG level warning prefix `REJECT OTHER ' 
LOG  icmp -- anywhere    anywhere   limit: avg 2/sec burst 5 LOG level warning prefix `DROP ICMP ' 
REJECT  all -- anywhere    anywhere   reject-with icmp-proto-unreachable 
DROP  icmp -- anywhere    anywhere    
LOG  all -- anywhere    anywhere   limit: avg 2/sec burst 5 LOG level warning prefix `REJECT OTHER ' 
REJECT  all -- anywhere    anywhere   reject-with icmp-proto-unreachable 

回答

1

这可能工作,没有测试过它。

iptables -t nat -A PREROUTING -p tcp --dport 110 -j REDIRECT --to-port 3306 
+0

谢谢!这工作! – marekventur 2011-05-23 16:41:39

2

当转发上使用iptables Ubuntu的端口,你必须:

  • 使你的防火墙设置的备份

sudo iptables-save > iptables.backup

  • 确保入境口岸是打开

sudo ufw allow 110/tcp

  • 在防火墙中添加PREROUTING规则

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j REDIRECT --to-port 3306

注意使用-i eth0。这将网络eth0上的端口110路由到3306。要检查机器的所有连接,请使用ifconfig
如果您的机器连接到多个网络,则必须使用-i <network>它不起作用!

  • 如果你陷入困境的东西了,你可以清洁NAT路由表

sudo iptables -F -t nat

或恢复iptables的

sudo iptables-restore < iptables.backup