Content #
Destination NAT (DNAT) exposes specific services on an internal network to the outside world without linking the internal computers directly to the Internet. And as long as there is no more than one service to be exposed on any given port, only one Internet connection (public IP address) is required. The gateway computer redirects connections to the specified ports to the designated internal computers and ports and arranges for return traffic to go back to the original address outside the network.
Since DNAT entails modifying the destination addresses and/or ports of packets just before they are either routed to local processes or forwarded to other computers, it is performed through the PREROUTING chain of the nat table.
For example, to forward inbound connections coming in on a gateway’s port 80 (HTTP) to an internal web server running on port 8080 of 192.168.1.3, public interface is eth1, DMZ interface is eth2:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
-j DNAT --to-destination 192.168.1.3:8080
nft rules:
nft add rule nat prerouting iif eth1 tcp sport 1024-65535 ip daddr <public address> \
tcp dport 80 dnat 192.168.1.3:8080
DNAT在forward chain之前应用,还需要添加forward的规则:
nft add rule filter forward iif eth1 oif eth2 tcp sport 1024-65535 tcp dport 80 \
ip daddr 192.168.1.3 ct state new accept
nft add rule filer forward iif eth2 oif eth1 ct state established, related accept
nft add rule filer forward iif eth1 oif eth2 ct state established, related accept