我在许多网站上阅读了如何使用 iptables 在 Linux 中将一个端口重新路由到另一个端口。例如,将端口 80 重新路由到 8080 看起来如下...
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080
我担心的是,如果我改变主意怎么办?我还没有读到任何提供纠正它的语法的地方。我认为有一种(简单的?)方法可以做到这一点,但我对 Linux 还不太熟悉,无法直观地弄清楚如何在不重新安装操作系统的情况下将端口 80 恢复到其原始行为。
答案1
您可以使用 -D 选项来iptables从链中删除规则。例如
首先列出要从中删除规则的链,使用 --line-numbers
sudo iptables -L RH-Firewall-1-INPUT -n --line-numbers
Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
4 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
7 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
9 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
11 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
删除第 6 行
sudo iptables -D RH-Firewall-1-INPUT 6
sudo iptables -L RH-Firewall-1-INPUT -n --line-numbers
Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
4 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
10 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
如果您将 iptables 配置保存在文件中,请不要忘记更新该文件(iptables-save,service iptables save等等)
答案2
如果您正在编写脚本,则根据定义删除会更容易:
例子:
加上:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080
注意-A? 它的意思是添加。
去除:
iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080
注意-D? 它的意思是删除。
答案3
http://linux.die.net/man/8/iptables:
啊哼
iptables -L, --list [chain]
List all rules in the selected chain. If no chain is selected, all chains are listed. As every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by
iptables -t nat -n -L
Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. The exact rules are suppressed until you use
iptables -L -v
...
iptables -D, --delete chain rule-specification
iptables -D, --delete chain rulenum
Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.
答案4
bithavoc 的答案是正确的。由于我仍然没有足够的点来评论它,因此我将添加其他信息作为新答案:
添加新的重新路由规则
$ sudo iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to 5671
列出 NAT 规则
$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 5671
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
交换机-t nat必须能够路由规则。
删除规则
$ sudo iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to 5671
[ec2-user@ip-172-31-27-46 ~]$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination