Get ready:
1, UDP port range mapping
2, TCP port range mapping
3, native port forwarding
4, single port forwarding
Get ready:
Turn forward [[Email protected] ~]# cat /etc/sysctl.conf | grep net.ipv4.ip_ Forwardnet.ipv4.ip_forward = 1 empty rules, modify the default policy, important data back up [[Email protected] ~]# iptables -F -t nat[[email protected] ~]# iptables -X -t nat[[email Protected] ~]# iptables -p input drop[[email protected] ~]# iptables -L -t natChain PREROUTING (policy accept) target prot opt source destination Chain POSTROUTING (Policy accept) target prot opt source destination chain output (policy accept) target prot opt source destination [[email protected] ~]# Delete reject[[email protected] ~]# Vim /etc/sysconfig/iptables[[email protected] ~]# service iptables restart
1, UDP port range mapping
One by one matches: [[email protected] ~]# iptables -t nat -a prerouting -p udp --dport 5000:6000 -j dnat --to 192.168.66.2:5000-6000 "Note" will result in unpredictable port forwarding matching: [[ email protected] ~]# iptables -t nat -a prerouting -p udp -- dport 5000:5010 -j dnat --to 192.168.66.2:6000-6010 "Nat inside Machine: 192.168.66.2" Port forwarding match verification, The output source port is 9999[[email protected] ~]# tcpdump -i eth0 -tnn port 9999tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), CAPTURE SIZE 65535 BYTESIP 172.16.20.245.9999 > 192.168.66.2.5500: UDP, length 1ip 172.16.20.245.9999 > 192.168.66.2.5500: udp, length 1ip 172.16.20.245.9999 > 192.168.66.2.5501: udp, length 1ip 172.16.20.245.9999 > 192.168.66.2.5501: udp, length 1 "Nat outside machine: 172.16.20.245" sent to the NAT machine, the source port of the packet is 9999, Destination Port is 5500-5555sudo nc -v -u -p 9999 172.16.20.183 5500-5555-Port forwarding bidirectional communication authentication: The machine inside the NAT turns on the monitor:[[email protected] ~]# nc -l -u 5555nat outside of the machine to nat send data nc -u 172.16.20.183 5555 data, both sides can receive. Can be found: port mapping exactly match, double-pass data Success!
2, TCP port range mapping
tcp Port range Mapping: [[Email protected] ~]# iptables -t nat -a prerouting  -P TCP --DPORT 2000:2500 -J DNAT --TO 192.168.66.2:2000-2500 Authentication: Receive side: " Nat inside Machine: 192.168.66.2 "[[email protected] ~]# tcpdump -i eth0 -tnn Portrange 2000-2500tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB ( Ethernet), capture size 65535 bytesip 172.16.20.245.37446 > 192.168.66.2.2000: flags [s], seq 1083771445, win 29200, options [mss 1460,sackOK,TS val 3864340 ecr 0,nop,wscale 7], length 0IP 192.168.66.2.2000 > 172.16.20.245.37446: flags [r.], seq 0, ack 1083771446, win 0, length 0ip 172.16.20.245.47912 > 192.168.66.2.2001: flags [s], seq 629593170 , win 29200, options [mss 1460,sackok,ts val 3864344 ecr 0,nop, Wscale 7], length 0ip 192.168.66.2.2001 > 172.16.20.245.47912: flags [R.], seq 0, ack 629593171, win 0, length 0IP 172.16.20.245.34816 > 192.168.66.2.2002: flags [s], seq 680276410, win 29200, options [mss 1460,sackOK,TS val 3864345 ecr 0,nop,wscale 7], length 0ip 192.168.66.2.2002 > 172.16.20.245.34816: flags [r.], seq 0, ack 680276411, win 0, length 0ip 172.16.20.245.37508 > 192.168.66.2.2003: Flags [S], seq 1070666075, win 29200, options [mss 1460,sackok,ts Val 3864345 ecr 0,nop,wscale 7], length 0ip 192.168.66.2.2003 > 172.16.20.245.37508: flags [r.], seq 0, ack 1070666076, win 0, length 0 Send side: "Nat outside Machine: 172.16.20.245" sent to Nat machine:sudo nc -z -w1 -v 172.16.20.183 2000-2500nc: connect to 172.16.20.183 port 2000 (TCP) failed: connection refusednc: connect to 172.16.20.183 port 2001 (TCP) failed: connection refusednc: connect to 172.16.20.183 port 2002 (TCP) failed: connection refusednc: connect to 172.16.20.183 port 2003 (TCP) failed: connection refusednc: connect to 172.16.20.183 port 2004 (TCP) failed: Connection refusednc: connect to 172.16.20.183 port 2005 (TCP) failed: connection refusednc: connect to 172.16.20.183 port 2006 (TCP) failed: connection refusednc: connect to 172.16.20.183 port 2007 (TCP) failed: connection refused can be seen, although the connection failed, but sent the SEQ and ACK response packets have been, the handshake succeeded.
3, native port forwarding
[[email protected] ~]# iptables -t nat -a prerouting -p tcp --dport 1234 -j redirect --to-ports 2345[[email protected] ~]# nc -l -k 2345 #开启监听1, LAN other host directly to access the native 2345 port: see tcpdump output [EMAIL PROTECTED]~$ NC 172.16.20.183 2345 #远程机访问本机172.16.20.183 2345 native tcpdump output [[email protected] ~]# tcpdump -i eth0 host 172.16.20.245 -tnnIP 172.16.20.245.44706 > 172.16.20.183.2345: Flags [S], seq 33366406, win 29200, options [mss 1460,sackok,ts val 4001328 ecr 0,nop,wscale 7], length 0ip 172.16.20.183.2345 > 172.16.20.245.44706: flags [r.], seq 0, ack 33366407, WIN 0, LENGTH 02, LAN other host directly to access the native 1234 port: see tcpdump output [email protected]~$ Nc 172.16.20.183 1234 #远程机访问本机172.16.20.183 1234tcpdump in this machine: [[email protected] ~]# tcpdump - i eth0 host 172.16.20.245 -tnnip 172.16.20.245.47332 > 172.16.20.183.1234: flags [s], seq 3622624416, win 29200, options [mss 1460,sackOK,TS val 4047126 ecr 0,nop,wscale 7], length 0IP 172.16.20.183.1234 > 172.16.20.245.47332: flags [s.], seq 123535638, ack 3622624417, win 14480, options [mss 1460,sackOK,TS val 12018501 ecr 4047126,nop,wscale 6], length 0ip 172.16.20.245.47332 > 172.16.20.183.1234: flags [.], ack 1, win 229, options [nop,nop,ts val 4047126 ecr 12018501], length 0IP 172.16.20.245.47332 > 172.16.20.183.1234: flags [p.], seQ 1:2, ack 1, win 229, options [nop,nop,ts val 4047282 ecr 12018501], length 1ip 172.16.20.183.1234 > 172.16.20.245.47332: flags [.], ack 2, win 227, options [nop,nop,ts val 12019122 ecr 4047282], length 0ip 172.16.20.245.47332 > 172.16.20.183.1234: flags [p.], seq 2:3, ack 1, win 229, options [nop,nop,ts val 4047325 ecr 12019122], length 1IP 172.16.20.183.1234 > 172.16.20.245.47332: flags [.], ack 3, win 227, options [nop,nop,ts val 12019297 ecr 4047325], length 0IP 172.16.20.245.47332 > 172.16.20.183.1234: flags [p.], seq 3:4, ack 1, win 229, options [nop,nop,ts val 4047353&Nbsp;ecr 12019297], length 1 can see three times handshake success!
4, single port forwarding
Port forwarding TCP mode: forwards access to native 1122-Port packets to 192.168.66.2:5566iptables-t nat-a prerouting-p TCP--dport 1122-j DNAT--to-destination 1 92.168.66.2:5566 Port forwarding UDP mode: Will access native 2233-Port packets forwarded to 192.168.66.2:4455IPTABLES-T nat-a prerouting-p UDP--dport 2233-j DNAT-- To-destination 192.168.66.2:4455
This article is from the "Li Chunli" blog, make sure to keep this source http://990487026.blog.51cto.com/10133282/1939827
Linux iptables Port forwarding