How to configure iptables to achieve local port forwarding

Time:2020-11-19

scene
If you are debugging a web program with resin, you need to restart resin frequently. This web program needs to be opened on port 80, and Linux limits ports below 1024 to have root permission. But you don’t want to always have a root terminal open when debugging programs. In this case, you can open resin on the default port 8080, and then use iptables to achieve the same effect as opening the service on port 80.
method
Transfer the TCP connection with port 80 to the local port 8080. DNAT (destination network address translation) technology can meet this requirement. Because iptables handle local and remote connections differently, they need to be handled separately. Let’s assume that the IP of this machine is 192.168.4.177.
Remote connection
Remote connection refers to the connection of another machine to this machine. The connected packets in iptables will first go through the routing chain, so only DNAT is required in the routing chain.

Copy code

The code is as follows:

# iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.4.177 –dport 80 -j DNAT –to 192.168.4.177:8080

Local connection
A local connection refers to a port on the local computer that uses 127.0.0.1 or local IP to access the local port. The packets connected locally will not pass through the network card, but will be processed by the kernel and sent to the local process directly. In iptables, such packets only go through the output chain, not the routing chain. Therefore, DNAT is needed in the output chain. In addition to 127.0.0.1, access to the local IP (192.168.4.177) is also a local connection.

Copy code

The code is as follows:

# iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 –dport 80 -j DNAT –to 127.0.0.1:8080
# iptables -t nat -A OUTPUT -p tcp -d 192.168.4.177 –dport 80 -j DNAT –to 127.0.0.1:8080

matters needing attention
You may need to turn on IP forwarding with the following command:

Copy code

The code is as follows:

# echo 1 > /proc/sys/net/ipv4/ip_forward

During the experiment, if you want to reset iptables, you need to clear the NAT table first

Copy code

The code is as follows:

# iptables -F -t nat

Instance operation
Here, forward port 3389 of local interface IP 61.144. A.B to 3389 of 116.6. C.D. (if you mainly access port 3389 of 61.144. A.B, you will jump to 3389 of 116.6. C.D.)
1. The first thing to do is / etc/ sysctl.conf Configuration file net.ipv4 .ip_ Forward = 1, the default is 0, which allows iptalbes forward.
2. Service iptables stop to turn off the firewall
3. Reconfigure rules

Copy code

The code is as follows:

iptables -t nat -A PREROUTING –dst 61.144.a.b -p tcp –dport 3389 -j DNAT –to-destination 116.
6.c.d:3389
iptables -t nat -A POSTROUTING –dst 116.6.c.d -p tcp –dport 3389 -j SNAT –to-source 61.144.a.b
service iptables save

Save the current rule to / etc / sysconfig / iptables
If you are familiar with this file, directly modifying the content here is also equivalent to the command-line input rules.
5. Start iptables service, service iptables start

It can be written into the script, and the device will start to run automatically;

Copy code

The code is as follows:

# vi /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.</p>
<p>touch /var/lock/subsys/local</p>
<p>sh /root/myshipin.log
———————————————————————
vi myshipin.log
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don’t
# want to do the full Sys V style init stuff.</p>
<p>iptables -F -t nat
iptables -t nat -A PREROUTING –dst 61.144.a.b -p tcp –dport 3389 -j DNAT –to-destination 116.6.c.d:3389
iptables -t nat -A POSTROUTING –dst 116.6.a.b -p tcp –dport 3389 -j SNAT –to-source 61.144.c.d
~
—————————————————————-
TCP</p>
<p>iptables -t nat -A PREROUTING –dst 61.144.a.b -p tcp –dport 9304 -j DNAT –to-destination 10.94.a.b:9304
iptables -t nat -A POSTROUTING –dst 10.94.a.b -p tcp –dport 9304 -j SNAT –to-source 61.144.a.b</p>
<p>UDP
iptables -t nat -A PREROUTING –dst 61.144.a.b -p udp –dport 9305 -j DNAT –to-destination 10.94.a.b:9305
iptables -t nat -A POSTROUTING –dst 10.94.a.b -p udp –dport 9305 -j SNAT –to-source 61.144.a.b

In addition:

Location of iptables configuration file / etc / sysconfig / iptables external network address changes can be modified in the configuration file.