IPTABLES tcp+udp full-port forwarding (network acceleration)
The advantages of IPTABLES full-port forwarding are extremely low system resource usage, so even a small 1H1G machine can handle it. It also supports high concurrency and fast speeds, which can effectively solve line quality issues.
Advantages: full-port tcp+udp
IPTABLES Installation
centos system
ubuntu debian
yum install iptables -y
apt install iptables -y
Configure IPV4 forwarding
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1 #enable port forwarding here by changing the default value from 0 to 1
sysctl -p
Configure iptables to load at startup
CentOS system:
service iptables save
chkconfig --level 2345 iptables on
Debian/Ubuntu system:
iptables-save > /etc/iptables.up.rules
echo -e '#!/bin/bashn/sbin/iptables-restore < /etc/iptables.up.rules' > /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
Check the IP bound to the local network interface
ifconfig
For example, this is what is shown on my server
[[email protected]_0_5_centos ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:00:33:5A:FD
inet addr:172.27.0.5 Bcast:172.27.15.255 Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:814836 errors:0 dropped:0 overruns:0 frame:0
TX packets:803932 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:744827454 (710.3 MiB) TX bytes:735461052 (701.3 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
The IP address bound to the eth0 network interface above is 172.27.0.5. Mine is bound to a private IP.
Single-port port forwarding
iptables -t nat -A PREROUTING -p tcp --dport [local port] -j DNAT --to-destination [target IP:target port]
iptables -t nat -A PREROUTING -p udp --dport [local port] -j DNAT --to-destination [target IP:target port]
iptables -t nat -A POSTROUTING -p tcp -d [target IP] --dport [target port] -j SNAT --to-source [IP bound to the local server's primary network interface]
iptables -t nat -A POSTROUTING -p udp -d [target IP] --dport [target port] -j SNAT --to-source [IP bound to the local server's primary network interface]
In the following example, assume that your overseas server (the destination server) is 1.1.1.1 , your SS port is 10000 , and the IP bound to the primary network interface of the VPS you are currently operating (the relay server) is 2.2.2.2 .
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 10000 -j DNAT --to-destination 1.1.1.1:10000
iptables -t nat -A PREROUTING -p udp -m udp --dport 10000 -j DNAT --to-destination 1.1.1.1:10000
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p tcp -m tcp --dport 10000 -j SNAT --to-source 2.2.2.2
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p udp -m udp --dport 10000 -j SNAT --to-source 2.2.2.2
Different-port port forwarding
Forward port 10000 on the local server (relay server 2.2.2.2 ) to port 30000 on the target IP (destination server) 1.1.1.1
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 10000 -j DNAT --to-destination 1.1.1.1:30000
iptables -t nat -A PREROUTING -p udp -m udp --dport 10000 -j DNAT --to-destination 1.1.1.1:30000
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p tcp -m tcp --dport 30000 -j SNAT --to-source 2.2.2.2
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p udp -m udp --dport 30000 -j SNAT --to-source 2.2.2.2
At this point, when filling in the Shadowsocks information in your Shadowsocks client, the port should be 10000 rather than 30000 .
Multi-port port forwarding
1. Same-port port forwarding
Forward ports 10000~30000 on the local server (relay server 2.2.2.2 ) to ports 10000~30000 on the target IP (destination server) 1.1.1.1
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 10000:30000 -j DNAT --to-destination 1.1.1.1:10000-30000
iptables -t nat -A PREROUTING -p udp -m udp --dport 10000:30000 -j DNAT --to-destination 1.1.1.1:10000-30000
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p tcp -m tcp --dport 10000:30000 -j SNAT --to-source 2.2.2.2
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p udp -m udp --dport 10000:30000 -j SNAT --to-source 2.2.2.2
At this point, when filling in the Shadowsocks information in your Shadowsocks client, keep the account settings and port unchanged; you only need to change the IP to the relay server IP.
Different ports port forwarding
Forward ports 10000~20000 on the local server (relay server 2.2.2.2 ) to ports 30000~40000 on the target IP (the relayed server) 1.1.1.1
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 10000:20000 -j DNAT --to-destination 1.1.1.1:30000-40000
iptables -t nat -A PREROUTING -p udp -m udp --dport 10000:20000 -j DNAT --to-destination 1.1.1.1:30000-40000
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p tcp -m tcp --dport 30000:40000 -j SNAT --to-source 2.2.2.2
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p udp -m udp --dport 30000:40000 -j SNAT --to-source 2.2.2.2
At this point, when filling in the Shadowsocks information in your Shadowsocks client, the port should be 10000~2000 instead of 30000~40000 .
Save iptables configuration
Remember to save the iptables configuration after making changes, otherwise it will be lost after a reboot.
CentOS system:
service iptables save
Debian/Ubuntu system:
[cdoe]iptables-save >
/etc/iptables.up.rules[/code]
View NAT rules
iptables -t nat -vnL POSTROUTING
iptables -t nat -vnL PREROUTING
Delete NAT rules
Use the rule-viewing commands above to check the rules, then determine the order of the rule you want to delete. The command below deletes the first rule.
iptables -t nat -D POSTROUTING 1
iptables -t nat -D PREROUTING 1
Below is the one-click script
Please first use the ifconfig command to check the IP bound to your VPS network interface. Some are private IPs and some are public IPs.


The one-click script command is as follows:
wget -N --no-check-certificate https://raw.githubusercontent.com/xiaohouzivpn/script/master/iptables-pf.sh && chmod +x iptables-pf.sh && bash iptables-pf.sh