zoukankan      html  css  js  c++  java
  • iptables redirect outside requests to 127.0.0.1

    http://unix.stackexchange.com/questions/111433/iptables-redirect-outside-requests-to-127-0-0-1

    I have a service running on 127.0.0.1 with port 2222. I need to forward all requests to 192.168.2.2:2222 (outside IP) only from subnet 192.168.1.0/24 to 127.0.0.1:2222.

    I'm trying to use this, but it's not working.

    $ iptables -t nat -I PREROUTING -p tcp -d 192.168.1.0/24 --dport 2222 -j DNAT --to-destination 127.0.0.1:2222

    How can I get this to work?

    We need some clarification. Where is the traffic coming from? Where is the traffic originally going to? Where should the traffic be going to? As I read it, you want traffic from 192.168.1.0/24 to 127.0.0.1:2222 to be redirected to 12.23.34.45:2222. But Warren's answer assumes you want traffic from 192.168.1.0/24 to 12.23.34.45:2222 to be redirected to 127.0.0.1:222 –  Patrick Jan 29 at 13:37
    Traffic comes from 192.168.1.0/24 subnet to 192.168.2.2:2222 and should be translated to service on 127.0.0.1:2222. I'm corrected address scheme. –  SimWhite Jan 29 at 14:27
    You want a rule that allows traffic to port 2222 on the loopback interface from subnet 192.168.1.0/24? That isn't just a single rule type of setup. See here: debuntu.org/… –  slm♦ Jan 29 at 14:35
    Yes. As I understand I need to add masq rule? IP forwarding is already enabled of course. –  SimWhite Jan 29 at 14:47
    Why not run it on a "real" IP, and filter out traffic comming from unwanted sources? That is what firewalls are for, essentially... –  vonbrand Feb 3 at 1:04

    The iptables rule you are using will work, but there is one additional change you need to make:

    sysctl -w net.ipv4.conf.eth0.route_localnet=1
    (replacing eth0 with the nic 192.168.2.2 resides on)
    By default this value is 0, which instructs the kernel to not route external traffic destined to 127.0.0.0/8. This is just for security as such traffic is not normal.

    This info is surprisingly hard to find. –  Warren T. May 16 at 4:06

    You can redirect to localhost but not to loopback (127.0.0.0/8). Loopback is a loophole. You have to redirect to one of your real interfaces. Try using REDIRECT.
    iptables -t nat -A PREROUTING ..... -j REDIRECT --to-port 222

  • 相关阅读:
    centos 安装docker-ce
    quartz.net .netcore 定时任务部署到linux
    c# 获取linux 磁盘信息
    nginx 安装
    async await 理解
    Remote side unexpectedly closed network connection
    centos 安装。net
    yum 操作
    centos7下安装mysql5.7
    git 本地仓库版本无法从远程更新到本地
  • 原文地址:https://www.cnblogs.com/seven1979/p/4182054.html
Copyright © 2011-2022 走看看