Simple port forwarding with iptables
I start with the following which doesn't seem necessary, but it doesn't seem to hurt:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
The following two commands create port forwarding from port 5433 to port 5432.
sudo /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 5433 -m comment --comment "Port forward 5433->5432" -j REDIRECT --to-ports 5432
sudo /sbin/iptables -t nat -A OUTPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 5433 -m comment --comment "Port forward 5433->5432" -j REDIRECT --to-ports 5432
This works locally. Both of the following commands successfully connect and get "Empty reply" because the listening server is not HTTP.
curl http://localhost:5432
curl http://localhost:5433
However, when I run the same commands from another server:
curl http://<local IP>:5432
curl http://<local IP>:5433
The 5432 curl connects, but the 5433 curl does not, which means the port forwarding doesn't seem to work from a remote server.
How can I fix my iptables rules to make port forwarding work from remote servers as well as local servers?
I see the second rule specifies a "source" IP of 127.0.0.1/32. I tried changing this and couldn't find something that worked.
Вам следует знать две вещи.
Вы должны добавить правило для MASQUERADE в свой блок NAT см. Там инструкцию, например , для всего интерфейса или только для одного порта. И вы должны разрешить пересылку, удалив правило в блоке фильтра, если оно существует в вашей конфигурации iptables.