iptables TCP/UDP Port Forwarding Tutorial

 

IPTABLES tcp+udp full-port forwarding (network acceleration)

The advantages of IPTABLES full-port forwarding are extremely low system resource usage, so even a small 1H1G machine can handle it. It also supports high concurrency and fast speeds, which can effectively solve line quality issues.

Advantages: full-port tcp+udp

IPTABLES Installation

centos system

ubuntu debian

yum install iptables -y
apt install iptables -y

Configure IPV4 forwarding

vi /etc/sysctl.conf
net.ipv4.ip_forward = 1 #enable port forwarding here by changing the default value from 0 to 1
sysctl -p

Configure iptables to load at startup

CentOS system:


service iptables save

chkconfig --level 2345 iptables on

Debian/Ubuntu system:


iptables-save > /etc/iptables.up.rules
echo -e '#!/bin/bashn/sbin/iptables-restore < /etc/iptables.up.rules' > /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables

Check the IP bound to the local network interface

 

ifconfig

For example, this is what is shown on my server


[[email protected]_0_5_centos ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:00:33:5A:FD
inet addr:172.27.0.5 Bcast:172.27.15.255 Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:814836 errors:0 dropped:0 overruns:0 frame:0
TX packets:803932 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:744827454 (710.3 MiB) TX bytes:735461052 (701.3 MiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

The IP address bound to the eth0 network interface above is 172.27.0.5. Mine is bound to a private IP.

Single-port port forwarding

 


iptables -t nat -A PREROUTING -p tcp --dport [local port] -j DNAT --to-destination [target IP:target port]
iptables -t nat -A PREROUTING -p udp --dport [local port] -j DNAT --to-destination [target IP:target port]
iptables -t nat -A POSTROUTING -p tcp -d [target IP] --dport [target port] -j SNAT --to-source [IP bound to the local server's primary network interface]
iptables -t nat -A POSTROUTING -p udp -d [target IP] --dport [target port] -j SNAT --to-source [IP bound to the local server's primary network interface]

In the following example, assume that your overseas server (the destination server) is  1.1.1.1 , your SS port is  10000 , and the IP bound to the primary network interface of the VPS you are currently operating (the relay server) is  2.2.2.2 .

 


iptables -t nat -A PREROUTING -p tcp -m tcp --dport 10000 -j DNAT --to-destination 1.1.1.1:10000
iptables -t nat -A PREROUTING -p udp -m udp --dport 10000 -j DNAT --to-destination 1.1.1.1:10000
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p tcp -m tcp --dport 10000 -j SNAT --to-source 2.2.2.2
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p udp -m udp --dport 10000 -j SNAT --to-source 2.2.2.2

Different-port port forwarding

Forward port  10000  on the local server (relay server  2.2.2.2 ) to port  30000  on the target IP (destination server)  1.1.1.1 

 

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 10000 -j DNAT --to-destination 1.1.1.1:30000
iptables -t nat -A PREROUTING -p udp -m udp --dport 10000 -j DNAT --to-destination 1.1.1.1:30000
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p tcp -m tcp --dport 30000 -j SNAT --to-source 2.2.2.2
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p udp -m udp --dport 30000 -j SNAT --to-source 2.2.2.2

At this point, when filling in the Shadowsocks information in your Shadowsocks client, the port should be  10000  rather than  30000 .

 

Multi-port port forwarding

1. Same-port port forwarding

Forward ports  10000~30000  on the local server (relay server  2.2.2.2 ) to ports  10000~30000  on the target IP (destination server)  1.1.1.1 

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 10000:30000 -j DNAT --to-destination 1.1.1.1:10000-30000
iptables -t nat -A PREROUTING -p udp -m udp --dport 10000:30000 -j DNAT --to-destination 1.1.1.1:10000-30000
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p tcp -m tcp --dport 10000:30000 -j SNAT --to-source 2.2.2.2
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p udp -m udp --dport 10000:30000 -j SNAT --to-source 2.2.2.2

 

At this point, when filling in the Shadowsocks information in your Shadowsocks client, keep the account settings and port unchanged; you only need to change the IP to the relay server IP.

 

Different ports port forwarding

Forward ports  10000~20000  on the local server (relay server  2.2.2.2 ) to ports  30000~40000  on the target IP (the relayed server)  1.1.1.1 


iptables -t nat -A PREROUTING -p tcp -m tcp --dport 10000:20000 -j DNAT --to-destination 1.1.1.1:30000-40000
iptables -t nat -A PREROUTING -p udp -m udp --dport 10000:20000 -j DNAT --to-destination 1.1.1.1:30000-40000
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p tcp -m tcp --dport 30000:40000 -j SNAT --to-source 2.2.2.2
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p udp -m udp --dport 30000:40000 -j SNAT --to-source 2.2.2.2

 

At this point, when filling in the Shadowsocks information in your Shadowsocks client, the port should be  10000~2000  instead of 30000~40000 .

 

Save iptables configuration

Remember to save the iptables configuration after making changes, otherwise it will be lost after a reboot.

CentOS system:

service iptables save

Debian/Ubuntu system:
[cdoe]iptables-save >
/etc/iptables.up.rules[/code]

View NAT rules

iptables -t nat -vnL POSTROUTING
iptables -t nat -vnL PREROUTING

Delete NAT rules

Use the rule-viewing commands above to check the rules, then determine the order of the rule you want to delete. The command below deletes the first rule.

 

iptables -t nat -D POSTROUTING 1
iptables -t nat -D PREROUTING 1

Below is the one-click script

Please first use the ifconfig command to check the IP bound to your VPS network interface. Some are private IPs and some are public IPs.

 

The one-click script command is as follows:

wget -N --no-check-certificate https://raw.githubusercontent.com/xiaohouzivpn/script/master/iptables-pf.sh && chmod +x iptables-pf.sh && bash iptables-pf.sh

Leave a Comment

Your email address will not be published. Required fields are marked *

中文 EN
🚀

RedGate VPN

免费节点太挤太慢?
升级高速稳定专线

立即体验 →

告别卡顿

RedGate VPN
全球高速节点

免费下载 →
Scroll to Top