Iptables remote port forwarding needs to use the port forwarding function of iptables again today. I used it once six months ago. I forgot about it. I learned it again this time and wrote it to my blog to deepen my memory. Iptables's remote port forwarding uses the iptables provided by linux to implement NAT. Of course, iptables has implemented this function. All we need to do is configure (write the configuration file of iptables ). 1. When to use this function when you need the NAT Function, but now the NAT Function needs to run on a linux machine rather than a router. Vrouters have a dedicated interface for you to configure NAT, but common linux does not have such a friendly Routing Management System. Only iptables is available for us. If you don't know what NAT is, you don't need to read it down, but to help you understand it, I 'd like to describe the scenario A Little. Today, the company has A server A on the internet, hoping to use the company's existing ldap service. However, server B running ldap exists in the company's intranet. To connect A to B, we hope to use server C as the gateway, route, or springboard. Because C has two NICs, Intranet and Internet, it is the gateway or link between Intranet and Internet. We want C to forward port 389 from A to port 389 of server C (default port of ldap Service) connected to server B. This forwarding operation can be divided into two parts: 1. when C receives A tcp connection request from A, change the target address C. public_ip is B. ip address, and sent to the Intranet 2. when C receives A response from B to A, it returns the source address B. change ip address to C. public_ip and send it to the Internet. how to configure iptables to add or insert or delete routing rules to or from the iptables System Using/sbin/iptables. The forwarding operation only takes two steps, but the system administrator does more work than the two steps: 1. make sure that $/sbin/sysctl net is enabled for the forwarding function in the operating system. ipv4.ip _ forwardnet. ipv4.ip _ forward = 1 if the returned value is 1, it is enabled. If the returned value is 0, it is not enabled. The default status is disabled. If not, edit/etc/sysctl. conf file, find net. ipv4.ip _ forward = 0 and change it to 1. Then run the command $/sbin/sysctl-p/etc/sysctl. conf 2. use/sbin/iptables to add routing rules [html]/sbin/iptables-p forward drop/sbin/iptables-p input drop/sbin/iptables-a input-p tcp -- dport 389 -j ACCEPT/sbin/iptables-t nat-p prerouting accept/sbin/iptables-t nat-p postrouting accept/sbin/iptables-a forward-o eth0-I eth1-s a. ip-d B. ip-j ACCEPT/ Sbin/iptables-a forward-o eth1-I eth0-s B. ip-d. ip-j ACCEPT/sbin/iptables-t nat-a prerouting-I eth1-p tcp-s. ip -- dport 389-j DNAT -- to-destination B. ip: 389/sbin/iptables-t nat-a postrouting-o eth0-j MASQUERADE core rules are in row 8th and row 9. Row 8 executes the first part of the forwarding mentioned above, and row 9 executes the second part of the forwarding mentioned above. Specify the Default policy in line 1 and Line 2. If any routing rule is not applicable to a request, execute the default action DROP. Line 3 indicates that requests with the target port 389 are allowed. Lines 4 and 5 indicate the PREROUTING and postroutinglines that allow NAT. Lines 7 indicate that forwarding between A and B is allowed. That is, when the Internet is switched to the Intranet, the source must be A and the target is B. Why not C? Because FORWARD rules are verified after PREROUTING, the destination address has been changed to B's ip address. When the Intranet is switched to the Internet, the source must be B for the purpose of B. Why is the source not C? Isn't POSTROUTING supposed to overwrite the source to C's own public ip address? This is because POSTROUTING is performed after FORWARD. After reading the figure below, you can understand the iptables mechanism packet in ---> --- PREROUTING --- [routing] ---> ---- FORWARD ---- --- POSTROUTING ---> --- packet out-mangle |-mangle-nat (dst) |-filter-nat (src) | input output-mangle-filter-nat (dst) |-filter | '----> ---- [application] ----> ---- '3. finally, save the current iptables rules to the hard disk so that you can remember this update after restarting the machine. Remember, you will surely make a mistake in this place, and you will find that the rules are changing. It takes a few hours for crazy experiments to understand what is going on. Finally, we found that the iptables-save tool was used incorrectly. No parameter was provided or the parameter was incorrect. Remember the following method. /Etc/init. d/iptables save because when you are new to iptables, you will find a tool named iptables-save in the same directory, people tend to use it confidently to save or persist iptables rules that have been changed before. Once the machine is restarted, it will go crazy and no changes will be made. After careful research, I found that iptables-save needs to specify the file to which the parameter is saved!
But if you save it to a file, you have to manually load it to iptables every time you restart it, so the network will be abnormal for a while. Is there a configuration file read by iptables by default? Yes, in/etc/sysconfig/iptables. You can run the/sbin/iptables-save/etc/sysconfig/iptables command by hand. However, you can also use/etc/init. d/iptables save to save