Centos uses iptables to redirect website access

For some reason, we need to redirect the httpd service accessing 10.0.3.49 to 10.0.3.26. so we studied how to use the NAT of iptables to redirect IP addresses and ports. In fact, it is very simple. we only need two steps. 1. First, make sure that the data forwarding function is enabled on the linux server 10.0.3.49: echo1 & gt;/proc/sys/net/ipv4/ip_forward2.10.0.3.49 to redirect NAT ip addresses and port 80. Iptabl

For some reason, we need to redirect the httpd service accessing 10.0.3.49 to 10.0.3.26. so we studied how to use the NAT of iptables to redirect IP addresses and ports. In fact, it is very simple. we only need two steps.

1. make sure that the data forwarding function is enabled on the linux server 10.0.3.49:

Echo 1>/proc/sys/net/ipv4/ip_forward

2.10.0.3.49 perform NAT ip address and port 80 redirection.

Iptables-t nat-a prerouting-p tcp -- dport 80-d 10.0.3.49-j DNAT -- to 10.0.3.26: 80

Iptables-t nat-a postrouting-d 10.0.3.26-p tcp -- dport 80-j SNAT -- to 10.0.3.49: 80

Iptables-a forward-d 10.0.3.26-j ACCEPT

If it still fails, use tcpdump-nn-I any port 80 to check whether there is data on the two server NICs entering and going out, and check whether your iptables is allowed, my iptables rules are set as follows:

Iptables-F

Iptables-X

Iptables-Z

Iptables-P INPUT DROP

Iptables-P OUTPUT ACCEPT

Iptables-P FORWARD ACCEPT

Iptables-a input-I lo-j ACCEPT

Iptables-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT

Iptables-a input-p TCP -- dport 21 -- sport 1024: 65534-j ACCEPT

Iptables-a input-p TCP -- dport 65400: 65410 -- sport 1024: 65534-j ACCEPT

Iptables-a input-p TCP -- dport 22 -- sport 1024: 65534-j ACCEPT

Iptables-a input-p TCP -- dport 25 -- sport 1024: 65534-j ACCEPT

Iptables-a input-p UDP -- dport 53 -- sport 1024: 65534-j ACCEPT

Iptables-a input-p TCP-dport 53 -- sport 1024: 65534-j ACCEPT

Iptables-a input-p TCP-dport 80 -- sport 1024: 65534-j ACCEPT

Iptables-a input-p TCP -- dport 110 -- sport 1024: 65534-j ACCEPT

Iptables-a input-p TCP -- dport 443 -- sport 1024: 65534-j ACCEPT

/Etc/init. d/iptables save

Problems:

1. iptables-a forward-d 10.0.3.26-j ACCEPT not set

View data on 10.0.3.49:

[Root @ vb01 ~] # Tcpdump-nn-I any port 80

Tcpdump: verbose output suppressed, use-v or-vv for full protocol decode

Listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

20:20:27. 704953 IP 10.0.3.27.54604> 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460, nop, wscale 2, nop, nop, sackOK], length 0

20:20:27. 706000 IP 10.0.3.27.54605> 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460, nop, wscale 2, nop, nop, sackOK], length 0

20:20:27. 951043 IP 10.0.3.27.54607> 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460, nop, wscale 2, nop, nop, sackOK], length 0

20:20:30. 703240 IP 10.0.3.27.54604> 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460, nop, wscale 2, nop, nop, sackOK], length 0

20:20:30. 710931 IP 10.0.3.27.54605> 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460, nop, wscale 2, nop, nop, sackOK], length 0

20:20:30. 949540 IP 10.0.3.27.54607> 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460, nop, wscale 2, nop, nop, sackOK], length 0

20:20:36. 698054 IP 10.0.3.27.54604> 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460, nop, nop, sackOK], length 0

20:20:36. 715184 IP 10.0.3.27.54605> 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460, nop, nop, sackOK], length 0

20:20:36. 951390 IP 10.0.3.27.54607> 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460, nop, nop, sackOK], length 0

We can see that Flags are all S Flags, indicating that the TCP connection request does not respond. Therefore, the local iptables may not allow data forwarding with the destination address 10.0.3.26.

This article is from the "galei" blog, please be sure to keep this source http://galean.blog.51cto.com/7702012/1275039