iptables NAT 和伪装规则 - 它们是做什么的? [英] Iptables NAT and Masquerade rules - what do they do?

问题描述

我遵循了教程(德语) 在 Raspberry Pi 上设置 WiFi 路由器(接入点).按照教程，我必须添加以下 iptable 规则:

i've followed a tutorial (in german) on setting up a WiFi Router (Access Point) on a Raspberry Pi. Following the tutorial i had to add the following iptable rules:

iptables -A FORWARD -o eth0 -i wlan0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

不幸的是，我对 iptables 没有任何经验，想知道规则是什么意思/做什么?

Unfortunately i dont have any experience with iptables and would like to know what the rules mean/do?

推荐答案

我会仔细检查规则，并一次性解释每个规则:要了解流程，请参阅iptables 图表

I go through the rules, and explain each at once: for understanding the flow, refer to the iptables chart

iptables -A FORWARD -o eth0 -i wlan0 -m conntrack --ctstate NEW -j ACCEPT

在 FORWARD 链中，您附加了一条规则，该规则表示:如果有新的数据包，从 wlan0 到 eth0，过滤器让它通过，并作为 NEW 跟踪该连接(这意味着:跟随它的状态变化).

In the FORWARD chain, you appended a rule which says: if any packet comes newly, from wlan0 to eth0, the filter lets it pass, and tracks that connection as NEW (which means: follows its change of state).

iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

对于任何作为ESTABLISHED 或RELATED 跟踪的数据包，过滤器都会让它通过

For any packets coming, tracked as ESTABLISHED or RELATED, the filter lets it pass

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

对于NAT表(包含FORWARD链)，在POSROUTING链中，任何离开eth0的数据包code> 忘记了它的内部 IP 地址(因此，保留在 NAT 后面)，并获取 eth0 之一:MASQUERADE 代表屏蔽地址.

For the NAT table (which contains the FORWARD chain), in the POSROUTING chain, any packet leaving eth0 forgets its inner IP address (so, stays behind a NAT), and gets the one of eth0: MASQUERADE stands for masking the address.

这篇关于iptables NAT 和伪装规则 - 它们是做什么的?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！