iptables TCP UDP Port Forwarding
IPTABLES TCP+UDP Port Forwarding (Network Acceleration)
IPTABLES port forwarding has the advantages of low system resource consumption and high concurrency speed, effectively solving the quality problems of network connections.
Advantages: TCP+UDP port forwarding
IPTABLES Installation
CentOS:
yum install iptables -yUbuntu/Debian:
apt install iptables -yConfigure IPV4 Forwarding
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
sysctl -pConfigure iptables to Load on Startup
For CentOS:
service iptables save
chkconfig --level 2345 iptables onFor Debian/Ubuntu:
iptables-save > /etc/iptables.up.rules
echo -e #!/bin/bashn/sbin/iptables-restore < /etc/iptables.up.rules > /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptablesCheck the IP Bound to the Network Card on the Local Machine
ifconfigFor example, the IP bound to the eth0 network card on my server is 172.27.0.5 (internal IP)
Single Port Forwarding
iptables -t nat -A PREROUTING -p tcp --dport [local port] -j DNAT --to-destination [target IP:target port]
iptables -t nat -A PREROUTING -p udp --dport [local port] -j DNAT --to-destination [target IP:target port]
iptables -t nat -A POSTROUTING -p tcp -d [target IP] --dport [target port] -j SNAT --to-source [local server main network card bound IP]
iptables -t nat -A POSTROUTING -p udp -d [target IP] --dport [target port] -j SNAT --to-source [local server main network card bound IP]For example, assuming your foreign server (transit server) is 1.1.1.1 and your SS port is 10000, and the main network card bound IP of your VPS (transit server) you are currently operating on is 2.2.2.2.
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 10000 -j DNAT --to-destination 1.1.1.1:10000
iptables -t nat -A PREROUTING -p udp -m udp --dport 10000 -j DNAT --to-destination 1.1.1.1:10000
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p tcp -m tcp --dport 10000 -j SNAT --to-source 2.2.2.2
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p udp -m udp --dport 10000 -j SNAT --to-source 2.2.2.2Different Port Forwarding
Forward the 10000 port of the local server (transit server 2.2.2.2) to the 30000 port of the target IP (transit server 1.1.1.1)
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 10000 -j DNAT --to-destination 1.1.1.1:30000
iptables -t nat -A PREROUTING -p udp -m udp --dport 10000 -j DNAT --to-destination 1.1.1.1:30000
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p tcp -m tcp --dport 30000 -j SNAT --to-source 2.2.2.2
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p udp -m udp --dport 30000 -j SNAT --to-source 2.2.2.2In this case, when filling in the Shadowsocks information in the client, the port should be filled in as 10000 instead of 30000.
Multiple Port Forwarding
1. Same Port Forwarding
Forward the 10000~30000 port of the local server (transit server 2.2.2.2) to the 10000~30000 port of the target IP (transit server 1.1.1.1)
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 10000:30000 -j DNAT --to-destination 1.1.1.1:10000-30000
iptables -t nat -A PREROUTING -p udp -m udp --dport 10000:30000 -j DNAT --to-destination 1.1.1.1:10000-30000
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p tcp -m tcp --dport 10000:30000 -j SNAT --to-source 2.2.2.2
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p udp -m udp --dport 10000:30000 -j SNAT --to-source 2.2.2.2In this case, when filling in the Shadowsocks information in the client, the account configuration and port should remain unchanged, only the IP needs to be changed to the transit server IP.
Different Port Forwarding
Forward the 10000~20000 port of the local server (transit server 2.2.2.2) to the 30000~40000 port of the target IP (transit server 1.1.1.1)
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 10000:20000 -j DNAT --to-destination 1.1.1.1:30000-40000
iptables -t nat -A PREROUTING -p udp -m udp --dport 10000:20000 -j DNAT --to-destination 1.1.1.1:30000-40000
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p tcp -m tcp --dport 30000:40000 -j SNAT --to-source 2.2.2.2
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p udp -m udp --dport 30000:40000 -j SNAT --to-source 2.2.2.2In this case, when filling in the Shadowsocks information in the client, the port should be filled in as 10000~2000 instead of 30000~40000.
Save iptables Configuration
Remember to save the iptables configuration after modification to avoid losing it after restarting.
For CentOS:
service iptables saveFor Debian/Ubuntu:
iptables-save > /etc/iptables.up.rulesView NAT Rules
iptables -t nat -vnL POSTROUTING
iptables -t nat -vnL PREROUTINGDelete NAT Rules
After checking the rules using the “View NAT Rules” command above and determining the order of the rule you want to delete, the following commands are used to delete the first rule.
iptables -t nat -D POSTROUTING 1
iptables -t nat -D PREROUTING 1Below is a one-click script:
Please use the “ifconfig” command to check the IP bound to the network card on your local VPS. Some may have internal IP, while others may have external IP.
The one-click script command is as follows:
wget -N --no-check-certificate https://raw.githubusercontent.com/xiaohouzivpn/script/master/iptables-pf.sh && chmod +x iptables-pf.sh && bash iptables-pf.sh