Have a try
查看 nat 表中所有链上的规则
iptables -t nat -L
The following parameters make up a rule specification (as used in the add, delete, insert, replace and append commands).
-
-p, --protocol[!] protocolProtocol can be one of tcp, udp, icmp, or all. A protocol name from
/etc/protocolsis also allowed. A “!” argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted. -
-j, --jumptargetThe target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension.
-
-i, --in-interface[!] nameName of an interface via which a packet was received (only for packets entering the INPUT, FORWARD and PREROUTING chains). When the “!” argument is used before the interface name, the sense is inverted. If the interface name ends in a “+”, then any interface which begins with this name will match. If this option is omitted, any interface name will match.
-
-o, --out-interface[!] nameName of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the “!” argument is used before the interface name, the sense is inverted. If the interface name ends in a “+”, then any interface which begins with this name will match. If this option is omitted, any interface name will match.
Network Address Translation (NAT)
SNAT 用于将出站封包内的源地址修改为路由器地址
# --to is a short format of --to-source
iptables -t nat -A POSTROUTING -o eth0 -j SANT --to-source 192.168.1.1
DNAT 用于将到达指定端口的入站封包内的目的地址修改为内网主机地址和端口。
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:8080