iptables中的PREROUTING和POSTROUTING

工作中用到iptables，PREROUTING和POSTROUTING，写个简单例子，为以后作参考。

[root@ linux ~]# cat /tmp/ipt_tmp.sh
# Generated by iptables-save v1.3.5 on Mon Jul  9 08:17:39 2012
*filter
:INPUT ACCEPT [39519334:1858761689]
:FORWARD ACCEPT [63755316:66709123839]
:OUTPUT ACCEPT [62427552:90909713429]
-A INPUT -s 192.168.0.11 -p tcp -m state --state NEW -m tcp --dport 80 -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j DROP
COMMIT
# Completed on Mon Jul  9 08:17:39 2012
# Generated by iptables-save v1.3.5 on Mon Jul  9 08:17:39 2012
*nat
:PREROUTING ACCEPT [2748118:215319370]
:POSTROUTING ACCEPT [28696:3128078]
:OUTPUT ACCEPT [28696:3128078]
-A PREROUTING -s 192.168.8.0/255.255.255.0 -d 192.168.0.1 -i eth0 -j DNAT --to-destination 192.168.50.81
-A POSTROUTING -s 192.168.50.0/255.255.255.0 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jul  9 08:17:39 2012
[root@ linux ~]# iptables -nvL
Chain INPUT (policy ACCEPT 78 packets, 5512 bytes)
pkts bytes target     prot opt in     out     source               destination       
0     0 DROP       tcp  --  *      *       192.168.0.11         0.0.0.0/0           state NEW tcp dpt:80
0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination      

Chain OUTPUT (policy ACCEPT 53 packets, 5992 bytes)
pkts bytes target     prot opt in     out     source               destination       
[root@ linux ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target     prot opt in     out     source               destination       
0     0 DNAT       all  --  eth0   *       192.168.8.0/24       192.168.0.1         to:192.168.50.81

Chain POSTROUTING (policy ACCEPT 4 packets, 312 bytes)
pkts bytes target     prot opt in     out     source               destination       
0     0 MASQUERADE  all  --  *      eth0    192.168.50.0/24      0.0.0.0/0        

Chain OUTPUT (policy ACCEPT 4 packets, 312 bytes)
pkts bytes target     prot opt in     out     source               destination 
[root@ linux ~]# iptables -R INPUT -s 192.168.0.11 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables v1.4.7: -R requires a rule number
Try `iptables -h' or 'iptables --help' for more information.
[root@ linux ~]# iptables -nvL --line-number
Chain INPUT (policy ACCEPT 219 packets, 15871 bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 ACCEPT     tcp  --  *      *       192.168.0.11         0.0.0.0/0           state NEW tcp dpt:80
2        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination      

Chain OUTPUT (policy ACCEPT 196 packets, 16152 bytes)
num   pkts bytes target     prot opt in     out     source               destination       
[root@ linux ~]# iptables -R INPUT 1 -s 192.168.0.11 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
[root@ linux ~]# iptables -nvL
Chain INPUT (policy ACCEPT 10 packets, 660 bytes)
pkts bytes target     prot opt in     out     source               destination       
0     0 ACCEPT     tcp  --  *      *       192.168.0.11         0.0.0.0/0           state NEW tcp dpt:80
0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination      

Chain OUTPUT (policy ACCEPT 6 packets, 1080 bytes)
pkts bytes target     prot opt in     out     source               destination   
[root@ linux ~]# iptables -t nat-R INPUT 1 -s 192.168.255.11/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
Bad argument `INPUT'
Try `iptables -h' or 'iptables --help' for more information.
[root@ linux ~]# iptables -t nat -R PREROUTING 1 -s 192.168.255.11/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT    
[root@ linux ~]# iptables -t nat
iptables v1.4.7: no command specified
Try `iptables -h' or 'iptables --help' for more information.
[root@ linux ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination       
0     0 ACCEPT     tcp  --  *      *       192.168.255.11       0.0.0.0/0           state NEW tcp dpt:80

Chain POSTROUTING (policy ACCEPT 3 packets, 180 bytes)
pkts bytes target     prot opt in     out     source               destination       
0     0 MASQUERADE  all  --  *      eth0    192.168.50.0/24      0.0.0.0/0        

Chain OUTPUT (policy ACCEPT 3 packets, 180 bytes)
 pkts bytes target     prot opt in     out     source               destination       
[root@ linux ~]# iptables-save > /tmp/ipt_tmp.sh
[root@ linux ~]# cat /tmp/ipt_tmp.sh
# Generated by iptables-save v1.4.7 on Mon Jul  9 08:58:33 2012
*nat
:PREROUTING ACCEPT [1:242]
:POSTROUTING ACCEPT [34:2352]
:OUTPUT ACCEPT [34:2352]
-A PREROUTING -s 192.168.255.11/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A POSTROUTING -s 192.168.50.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jul  9 08:58:33 2012
# Generated by iptables-save v1.4.7 on Mon Jul  9 08:58:33 2012
*filter
:INPUT ACCEPT [796:59726]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [717:61256]
-A INPUT -s 192.168.0.11/32 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j DROP
COMMIT
# Completed on Mon Jul  9 08:58:33 2012