1.开启转发模式

echo 1 > /proc/sys/net/ipv4/ip_forward

#参数生效

sysctl -p

2.将与 80 端口的 TCP 连接转接到本地的 8080 端口上,在防火墙上添加如下命令

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.124.21 –dport 80 -j DNAT –to 192.168.124.21:8080

不要忘记保存

简单的配置如下所示:

—————————————————————————————————————-

echo ‘net.ipv4.ip_forward = 1′ >>/etc/sysctl.conf

sysctl -p

iptables-save >/tmp/iptables

iptables -I INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 80 -j DNAT 8080

service iptables save

————————————————————————————————————————-

# Generated by iptables-save v1.4.7 on Wed Jul 12 12:22:54 2017

*nat

:PREROUTING ACCEPT [23:3557]

:POSTROUTING ACCEPT [2:135]

:OUTPUT ACCEPT [2:135]

-A PREROUTING -d 192.168.124.21/32 -i eth0 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.124.21:8080

COMMIT

# Completed on Wed Jul 12 12:22:54 2017

# Generated by iptables-save v1.4.7 on Wed Jul 12 12:22:54 2017

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [408:185606]

-A INPUT -p tcp -m state –state NEW -m tcp –dport 8080 -j ACCEPT

-A INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT

-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT

-A INPUT -j REJECT –reject-with icmp-host-prohibited

-A FORWARD -j REJECT –reject-with icmp-host-prohibited

COMMIT

 

—————————————————————————————————————-

 

一 从一台机到另一台机端口转发

启用网卡转发功能

#echo 1 > /proc/sys/net/ipv4/ip_forward

举例:从192.168.0.132:21521(新端口)访问192.168.0.211:1521端口

a.同一端口转发(192.168.0.132上开通1521端口访问 iptables -A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 1521 -j ACCEPT)

iptables -t nat -I PREROUTING -p tcp –dport 1521 -j DNAT –to 192.168.0.211

iptables -t nat -I POSTROUTING -p tcp –dport 1521 -j MASQUERADE

b.不同端口转发(192.168.0.132上开通21521端口访问 iptables -A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 21521 -j ACCEPT)

iptables -t nat -A PREROUTING -p tcp -m tcp –dport 21521 -j DNAT –to-destination 192.168.0.211:1521

iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -d 192.168.0.211 -p tcp -m tcp –dport 1521 -j SNAT –to-source 192.168.0.132

以上两条等价配置(更简单[指定网卡]):

iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 31521 -j DNAT –to 192.168.0.211:1521

iptables -t nat -A POSTROUTING -j MASQUERADE

保存iptables

#service iptables save

#service iptables restart

二 用iptables做本机端口转发

代码如下:

iptables -t nat -A PREROUTING -p tcp –dport 80 -j REDIRECT –to-ports 8080

估计适当增加其它的参数也可以做不同IP的端口转发。

如果需要本机也可以访问,则需要配置OUTPUT链(********特别注意:本机访问外网的端口会转发到本地,导致访不到外网,如访问yown.com,实际上是访问到本地,建议不做80端口的转发或者指定目的 -d localhost):

iptables -t nat -A OUTPUT -d localhost -p tcp –dport 80 -j REDIRECT –to-ports 8080

原因:

外网访问需要经过PREROUTING链,但是localhost不经过该链,因此需要用OUTPUT。

https://www.jianshu.com/p/177a06511574