For some reason, we need to redirect the httpd service accessing 10.0.3.49 to 10.0.3.26. so we studied how to use the NAT of iptables to redirect IP addresses and ports. In fact, it is very simple. we only need two steps. 1. First, make sure that the data forwarding function is enabled on the linux server 10.0.3.49: echo1 & gt;/proc/sys/net/ipv4/ip_forward2.10.0.3.49 to redirect NAT ip addresses and port 80. Iptabl
For some reason, we need to redirect the httpd service accessing 10.0.3.49 to 10.0.3.26. so we studied how to use the NAT of iptables to redirect IP addresses and ports. In fact, it is very simple. we only need two steps.
1. make sure that the data forwarding function is enabled on the linux server 10.0.3.49:
Echo 1>/proc/sys/net/ipv4/ip_forward
2.10.0.3.49 perform NAT ip address and port 80 redirection.
Iptables-t nat-a prerouting-p tcp -- dport 80-d 10.0.3.49-j DNAT -- to 10.0.3.26: 80
Iptables-t nat-a postrouting-d 10.0.3.26-p tcp -- dport 80-j SNAT -- to 10.0.3.49: 80
Iptables-a forward-d 10.0.3.26-j ACCEPT
If it still fails, use tcpdump-nn-I any port 80 to check whether there is data on the two server NICs entering and going out, and check whether your iptables is allowed, my iptables rules are set as follows:
Iptables-F
Iptables-X
Iptables-Z
Iptables-P INPUT DROP
Iptables-P OUTPUT ACCEPT
Iptables-P FORWARD ACCEPT
Iptables-a input-I lo-j ACCEPT
Iptables-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT
Iptables-a input-p TCP -- dport 21 -- sport 1024: 65534-j ACCEPT
Iptables-a input-p TCP -- dport 65400: 65410 -- sport 1024: 65534-j ACCEPT
Iptables-a input-p TCP -- dport 22 -- sport 1024: 65534-j ACCEPT
Iptables-a input-p TCP -- dport 25 -- sport 1024: 65534-j ACCEPT
Iptables-a input-p UDP -- dport 53 -- sport 1024: 65534-j ACCEPT
Iptables-a input-p TCP-dport 53 -- sport 1024: 65534-j ACCEPT
Iptables-a input-p TCP-dport 80 -- sport 1024: 65534-j ACCEPT
Iptables-a input-p TCP -- dport 110 -- sport 1024: 65534-j ACCEPT
Iptables-a input-p TCP -- dport 443 -- sport 1024: 65534-j ACCEPT
/Etc/init. d/iptables save
Problems:
1. iptables-a forward-d 10.0.3.26-j ACCEPT not set
View data on 10.0.3.49:
[Root @ vb01 ~] # Tcpdump-nn-I any port 80
Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode
Listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
20:20:27. 704953 IP 10.0.3.27.54604> 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460, nop, wscale 2, nop, nop, sackOK], length 0
20:20:27. 706000 IP 10.0.3.27.54605> 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460, nop, wscale 2, nop, nop, sackOK], length 0
20:20:27. 951043 IP 10.0.3.27.54607> 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460, nop, wscale 2, nop, nop, sackOK], length 0
20:20:30. 703240 IP 10.0.3.27.54604> 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460, nop, wscale 2, nop, nop, sackOK], length 0
20:20:30. 710931 IP 10.0.3.27.54605> 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460, nop, wscale 2, nop, nop, sackOK], length 0
20:20:30. 949540 IP 10.0.3.27.54607> 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460, nop, wscale 2, nop, nop, sackOK], length 0
20:20:36. 698054 IP 10.0.3.27.54604> 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460, nop, nop, sackOK], length 0
20:20:36. 715184 IP 10.0.3.27.54605> 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460, nop, nop, sackOK], length 0
20:20:36. 951390 IP 10.0.3.27.54607> 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460, nop, nop, sackOK], length 0
We can see that Flags are all S Flags, indicating that the TCP connection request does not respond. Therefore, the local iptables may not allow data forwarding with the destination address 10.0.3.26.
This article is from the "galei" blog, please be sure to keep this source http://galean.blog.51cto.com/7702012/1275039