如何使用iptables进行本地端口转发 [英] How to do local port forwarding with iptables

问题描述

我有一个应用程序(服务器)在端口8080上侦听.我希望能够将端口80转发到它，以便按http://localhost可以解析我的应用程序(在localhost:8080上).

I have an application (server) listening on port 8080. I want to be able to forward port 80 to it, such that hitting http://localhost resolves my application (on localhost:8080).

对于任何端口映射(例如80:8080 => P_src:P_target)，都应该对此加以概括，并针对现代* nix机器(例如Ubuntu)使用最佳做法.

This should be generalized for any port mapping (e.g. 80:8080 => P_src:P_target), and use best practices for modern *nix machines (e.g. Ubuntu).

N.B.这都是在本地完成的，因此不需要接受除本地主机以外的任何人的连接.

推荐答案

因此，在四处搜寻之后，我发现答案使用了iptables，设置了NAT并使用了内置的PREROUTING和OUTPUT.

So after much searching around, I found the answer uses iptables, setting up a NAT, and using the built-ins PREROUTING and OUTPUT.

首先，您必须启用端口转发:

First, you must have port forwarding enabled:

echo "1" > /proc/sys/net/ipv4/ip_forward

然后，您必须使用您自己的${P_src}和${P_target}值将以下规则添加到iptables NAT表中:

Then you have to add the following rules to your iptables NAT table, using your own values for ${P_src} and ${P_target}:

iptables -t nat -A PREROUTING -s 127.0.0.1 -p tcp --dport ${P_src} -j REDIRECT --to ${P_target}`
iptables -t nat -A OUTPUT -s 127.0.0.1 -p tcp --dport ${P_src} -j REDIRECT --to ${P_target}`

如果要删除规则，只需为每个规则使用-D开关而不是-A.

If you want to remove the rules, you simply need to use the -D switch instead of -A for each rule.

为此我构建了一个不错的小脚本，它确实添加和删除了映射.

I build a nice little script for this that does adding and removing of mappings.

#!/bin/bash
#
#   API: ./forwardPorts.sh add|rm p1:p1' p2:p2' ...
#
#   Results in the appending (-A) or deleting (-D) of iptable rule pairs that
#   would otherwise facilitate port forwarding.
#
#   E.g
#   sudo iptables -t nat -A PREROUTING -s 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to 8080
#   sudo iptables -t nat -A OUTPUT -s 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to 8080
#

if [[ $# -lt 2 ]]; then
    echo "forwardPorts takes a state (i.e. add or rm) and any number port mappings (e.g. 80:8080)";
    exit 1;
fi

case $1 in
    add )
        append_or_delete=A;;
    rm )
        append_or_delete=D;;
    * )
        echo "forwardPorts requires a state (i.e. add or rm) as it's first argument";
        exit 1; ;;
esac

shift 1;

# Do a quick check to make sure all mappings are integers
# Many thanks to S.O. for clever string splitting:
# http://stackoverflow.com/questions/918886/how-do-i-split-a-string-on-a-delimiter-in-bash
for map in "$@"
do
    IFS=: read -a from_to_array <<< "$map"
    if  [[ ! ${from_to_array[0]} =~ ^-?[0-9]+$ ]] || [[ ! ${from_to_array[1]} =~ ^-?[0-9]+$ ]]; then
        echo "forwardPorts port maps must go from an integer, to an integer (e.g. 443:4443)";
        exit 1;
    fi
    mappings[${#mappings[@]}]=${map}
done

# We're shooting for transactional consistency. Only manipulate iptables if all 
# the rules have a chance to succeed.
for map in "${mappings[@]}"
do
    IFS=: read -a from_to_array <<< "$map" 
    from=${from_to_array[0]}
    to=${from_to_array[1]}

    sudo iptables -t nat -$append_or_delete PREROUTING -s 127.0.0.1 -p tcp --dport $from -j REDIRECT --to $to
    sudo iptables -t nat -$append_or_delete OUTPUT -s 127.0.0.1 -p tcp --dport $from -j REDIRECT --to $to
done

exit 0;

这篇关于如何使用iptables进行本地端口转发的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！