本地网络 >> 中转IP:183.60.100.8 >> 目标IP:103.79.78.76
温馨提示
如果是远程操作的话,请做好定时防火墙失效,防止自己连接不上。
每10分钟关闭防火墙1
2 crontab -e
*/10 * * * * /data/shell/stop_ufw.sh
非常简单的代码1
2
3
4
5
6$ cat /data/shell/stop_ufw.sh
###Ubuntu
/usr/sbin/ufw disable
###Centos7
/usr/bin/systemctl stop iptables.service
环境说明
国外目标服务器IP: 103.79.78.76
国内中转服务器IP: 183.60.100.8
iptables 端口转发(CentOS)
注意:一来一去
在中转服务器操作1
2iptables -t nat -A PREROUTING -p tcp --dport [端口号] -j DNAT --to-destination [目标IP]
iptables -t nat -A POSTROUTING -p tcp -d [目标IP] --dport [端口号] -j SNAT --to-source [中转服务器IP]
开启ipv4转发
1 | echo -e "net.ipv4.ip_forward=1" /etc/sysctl.conf |
同端口转发(tcp+udp)
本地网络连接的端口是100101
2
3
4$ iptables -t nat -A PREROUTING -p tcp --dport 10010 -j DNAT --to-destination 103.79.78.76
$ iptables -t nat -A PREROUTING -p udp --dport 10010 -j DNAT --to-destination 103.79.78.76
$ iptables -t nat -A POSTROUTING -p tcp -d 103.79.78.76 --dport 10010 -j SNAT --to-source 183.60.100.8
$ iptables -t nat -A POSTROUTING -p udp -d 103.79.78.76 --dport 10010 -j SNAT --to-source 183.60.100.8
不同端口转发
本地网络连接的端口依旧是10010,而不是100861
2$ iptables -t nat -A PREROUTING -p tcp -m tcp --dport 10010 -j DNAT --to-destination 103.79.78.76:10086
$ iptables -t nat -A POSTROUTING -p tcp -m tcp -d 103.79.78.76 --dport 10086 -j SNAT --to-source 183.60.100.8
多端口转发
本地网络连接的端口是10000-10010
1 | $ iptables -t nat -A PREROUTING -p tcp -m tcp --dport 10000:10010 -j DNAT --to-destination 103.79.78.76 |
保存iptables配置
1 | service iptables save |
删除NAT规则
删除第一个规则1
2iptables -t nat -D POSTROUTING 1
iptables -t nat -D PREROUTING 1
ufw端口转发(Ubuntu)
编辑 etc/default/ufw文件中更改参数DEFAULT_FORWARD_POLICY1
default_forward_policy = "accept"
配置/etc/ufw/sysctl.conf 允许ipv4转发(默认情况下,参数被注释掉)。如果你想要ipv6取消注释。
1 | net/ipv4/ip_forward=1 |
最后一步是添加NAT到/etc/ufw/before.rules的配置。将以下内容添加到过滤器规则(*filter)之前
1 | # NAT Table rules #2017/10/11 |
注意*nat,以COMMIT结尾才会生效。*filter一个COMMIT,*nat一个COMMIT。不能总用一个COMMIT。
现在通过重新启动ufw启用更改。1
sudo ufw disable && sudo ufw enable
查看iptables生效状态
在中转服务器查看1
2
3
4
5
6
7
8
9
10
11
12
13
14$ iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 3531 packets, 06K bytes)
pkts bytes target prot opt in out source destination
12103 33K DNAT tcp -- any any anywhere anywhere tcp dpt:10010 to:103.79.78.76
Chain INPUT (policy ACCEPT 3372 packets, 97K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 970 packets, 52079 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 970 packets, 52079 bytes)
pkts bytes target prot opt in out source destination
12103 33K SNAT tcp -- any any anywhere 103.79.78.76 tcp dpt:10010 to:183.60.100.8
查看指定规则表状态
iptables -t nat -vnL POSTROUTING
iptables -t nat -vnL PREROUTING
查看连接状态
在目标服务器查看1
2
3
4
5
6
7
8
9$ lsof -i:10010
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
python 3187 root 3u IPv4 26485 0t0 TCP *:10010 (LISTEN)
python 3187 root 4u IPv4 26486 0t0 UDP *:10010
python 3187 root 8u IPv4 93464 0t0 TCP 103.79:10010->183.60:60835 (ESTABLISHED)
python 3187 root 10u IPv4 93645 0t0 TCP 103.79:10010->183.60:60866 (ESTABLISHED)
python 3187 root 14u IPv4 83358 0t0 TCP 103.79:10010->183.60:58893 (ESTABLISHED)
python 3187 root 15u IPv4 92698 0t0 TCP 103.79:10010->183.60:60495 (ESTABLISHED)
python 3187 root 17u IPv4 83360 0t0 TCP 103.79:10010->183.60:58898 (ESTABLISHED)
https://help.ubuntu.com/lts/serverguide/firewall.html#ip-masquerading
