一旦我设置 iptables 重新路由端口,我该如何撤消它?

一旦我设置 iptables 重新路由端口,我该如何撤消它?

我在许多网站上阅读了如何使用 iptables 在 Linux 中将一个端口重新路由到另一个端口。例如,将端口 80 重新路由到 8080 看起来如下...

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080

我担心的是,如果我改变主意怎么办?我还没有读到任何提供纠正它的语法的地方。我认为有一种(简单的?)方法可以做到这一点,但我对 Linux 还不太熟悉,无法直观地弄清楚如何在不重新安装操作系统的情况下将端口 80 恢复到其原始行为。

答案1

您可以使用 -D 选项来iptables从链中删除规则。例如

首先列出要从中删除规则的链,使用 --line-numbers

sudo iptables -L RH-Firewall-1-INPUT  -n --line-numbers

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
4    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
6    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
7    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
9    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
11   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

删除第 6 行

sudo iptables -D RH-Firewall-1-INPUT 6
sudo iptables -L RH-Firewall-1-INPUT  -n --line-numbers

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
4    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
10   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

如果您将 iptables 配置保存在文件中,请不要忘记更新该文件(iptables-saveservice iptables save等等)

答案2

如果您正在编写脚本,则根据定义删除会更容易:

例子:

加上:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080

注意-A? 它的意思是添加

去除:

iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to 8080

注意-D? 它的意思是删除

答案3

http://linux.die.net/man/8/iptables

啊哼

iptables -L, --list [chain]
    List all rules in the selected chain. If no chain is selected, all chains are listed. As every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by

    iptables -t nat -n -L

    Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. The exact rules are suppressed until you use

    iptables -L -v

...

iptables -D, --delete chain rule-specification
iptables -D, --delete chain rulenum
    Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match. 

答案4

bithavoc 的答案是正确的。由于我仍然没有足够的点来评论它,因此我将添加其他信息作为新答案:

添加新的重新路由规则

$ sudo iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to 5671

列出 NAT 规则

$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
REDIRECT   tcp  --  anywhere             anywhere             tcp dpt:https redir ports 5671

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination     

交换机-t nat必须能够路由规则。

删除规则

$ sudo iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to 5671
[ec2-user@ip-172-31-27-46 ~]$ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

相关内容