Linux 使用 iptables 更改目标端口
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/242772/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Using iptables to change a destination port
提问by Kristof Provost
Is it possible to change the destination port of a UDP packet using iptables?
是否可以使用 iptables 更改 UDP 数据包的目标端口?
I'm trying to get an SNMP agent to send out traps on 1620 instead of 162. Unfortunately so far I've only managed to change the source port:
我正在尝试让 SNMP 代理在 1620 而不是 162 上发送陷阱。不幸的是,到目前为止我只设法更改了源端口:
iptables -t nat -A POSTROUTING -p udp --dport 162 -j SNAT --to :1620
iptables -t nat -A POSTROUTING -p udp --dport 162 -j SNAT --to :1620
采纳答案by Adam Liss
This usage is apparently not supported. Taken from http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.txt:
显然不支持这种用法。摘自http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.txt:
6.3.7. Altering the Destination of Locally-Generated Connections
The NAT code allows you to insert DNAT rules in the OUTPUT chain, but
this is not fully supported in 2.4 (it can be, but it requires a new
configuration option, some testing, and a fair bit of coding, so unless someone contracts Rusty to write it, I wouldn't expect it soon).The current limitation is that you can only change the destination to
the local machine (e.g. `j DNAT --to 127.0.0.1'), not to any other machine, otherwise the replies won't be translated correctly.
6.3.7. 改变本地生成连接的目的地
NAT 代码允许你在 OUTPUT 链中插入 DNAT 规则,但这
在 2.4 中并不完全支持(它可以,但它需要一个新的
配置选项、一些测试和相当多的编码,所以除非有人与 Rusty 签约写它,我不希望它很快)。当前的限制是您只能将目的地更改为
本地机器(例如`j DNAT --to 127.0.0.1'),而不能更改为任何其他机器,否则回复将无法正确翻译。
回答by azkotoki
Instead of making SNAT, try with DNAT. The source port gets changed because SNAT means SourceNAT, so DNAT will work for you.
与其进行 SNAT,不如尝试使用 DNAT。源端口被更改,因为 SNAT 意味着 SourceNAT,所以 DNAT 将为您工作。
回答by azkotoki
@PiedPiper was right. With DNAT you must specify an ip address, but we only want to do port redirection, so -j REDIRECT may work in this case.
@PiedPiper 是对的。使用 DNAT 你必须指定一个 ip 地址,但我们只想做端口重定向,所以 -j REDIRECT 在这种情况下可能会起作用。
See http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.2
见http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.2
回答by PiedPiper
Assuming you know which machine you are sending to:
假设您知道要发送到哪台机器:
iptables -t nat -A OUTPUT -p udp --dport 162 -j DNAT --to-destination <dest-ip>:1620
回答by diciu
You could set up a divert rule and then re-inject the packet with the modified port.
您可以设置转移规则,然后使用修改后的端口重新注入数据包。
I've done this a while back on Mac OS X but it's the same principle on Linux: http://blog.dv8.ro/2006/08/using-divert-sockets-on-mac-os-x.html
我已经在 Mac OS X 上做过一段时间了,但在 Linux 上的原理是一样的:http: //blog.dv8.ro/2006/08/using-divert-sockets-on-mac-os-x.html
You basically need to create a very simple transparent proxy.
您基本上需要创建一个非常简单的透明代理。
回答by Adam Liss
you could redirect 162 to 1620
你可以将 162 重定向到 1620
iptables -t nat -A PREROUTING -p UDP --dport 162 -j REDIRECT --to-port 1620
