iptables：复制/转发端口

我正在尝试从阻止此端口的网络连接到 MySQL（端口 3306）。但还有另一个端口 110 开放，我可以将其用于本例。我正在将 MySQL 用于其他应用程序，因此我不能简单地更改端口。

我现在正在尝试通过 iptables 设置端口转发。确切地说，我想将110转发到3306，而不阻塞3306。

我花了很多时间谷歌搜索，但我无法让它发挥作用。我也有点担心把我锁在外面。你们中的任何人都可以给我提示吗？

非常感谢！

#~ iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `INPUT INVALID ' 
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
DROP       all  --  anywhere             anywhere            state INVALID 
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,RST/FIN,RST 
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN 
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,ACK/FIN 
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,RST/FIN,RST 
MY_DROP    tcp  --  anywhere             anywhere            tcp flags:FIN,ACK/FIN 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded 
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:www 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssmtp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:pop3s 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imap2 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:imaps 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:nntp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:mysql 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:ntp 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:6060 
MY_REJECT  all  --  anywhere             anywhere            
MY_REJECT  all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            state INVALID limit: avg 2/sec burst 5 LOG level warning prefix `OUTPUT INVALID ' 
DROP       all  --  anywhere             anywhere            state INVALID 
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply 
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request 
MY_REJECT  all  --  anywhere             anywhere            

Chain MY_DROP (7 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning prefix `PORTSCAN DROP ' 
LOG        all  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning prefix `PORTSCAN DROP ' 
DROP       all  --  anywhere             anywhere            

Chain MY_REJECT (3 references)
target     prot opt source               destination         
LOG        tcp  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning prefix `REJECT TCP ' 
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
LOG        tcp  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning prefix `REJECT TCP ' 
LOG        udp  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning prefix `REJECT UDP ' 
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable 
LOG        udp  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning prefix `REJECT UDP ' 
DROP       icmp --  anywhere             anywhere            
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable 
LOG        all  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning prefix `REJECT OTHER ' 
LOG        icmp --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning prefix `DROP ICMP ' 
REJECT     all  --  anywhere             anywhere            reject-with icmp-proto-unreachable 
DROP       icmp --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            limit: avg 2/sec burst 5 LOG level warning prefix `REJECT OTHER ' 
REJECT     all  --  anywhere             anywhere            reject-with icmp-proto-unreachable

在 ubuntu 上使用 iptables 转发端口时，您必须：

• 备份您的防火墙设置

sudo iptables-save > iptables.backup

• 确保入口端口打开

sudo ufw allow 110/tcp

• 在防火墙中添加预路由规则

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -j REDIRECT --to-port 3306

注意使用-i eth0。这会将端口 110 路由到网络 eth0 上的 3306。要检查机器的所有连接，请使用ifconfig.
如果您的机器连接到多个网络，则必须使用-i <network> or 不起作用！

• 如果你搞砸了，你可以用以下命令清理 NAT 路由表

sudo iptables -F -t nat

或恢复 iptables

sudo iptables-restore < iptables.backup