iptables redirect outside requests to 127.0.0.1

http://unix.stackexchange.com/questions/111433/iptables-redirect-outside-requests-to-127-0-0-1

I have a service running on 127.0.0.1 with port 2222. I need to forward all requests to 192.168.2.2:2222 (outside IP) only from subnet 192.168.1.0/24 to 127.0.0.1:2222.

I‘m trying to use this, but it‘s not working.

$ iptables -t nat -I PREROUTING -p tcp -d 192.168.1.0/24 --dport 2222 -j DNAT --to-destination 127.0.0.1:2222

How can I get this to work?

We need some clarification. Where is the traffic coming from? Where is the traffic originally going to? Where should the traffic be going to? As I read it, you want traffic from 192.168.1.0/24 to 127.0.0.1:2222 to be redirected to 12.23.34.45:2222. But Warren‘s answer assumes you want traffic from 192.168.1.0/24 to 12.23.34.45:2222 to be redirected to 127.0.0.1:222 –  Patrick Jan 29 at 13:37
Traffic comes from 192.168.1.0/24 subnet to 192.168.2.2:2222 and should be translated to service on 127.0.0.1:2222. I‘m corrected address scheme. –  SimWhite Jan 29 at 14:27
You want a rule that allows traffic to port 2222 on the loopback interface from subnet 192.168.1.0/24? That isn‘t just a single rule type of setup. See here: debuntu.org/… –  slm♦ Jan 29 at 14:35
Yes. As I understand I need to add masq rule? IP forwarding is already enabled of course. –  SimWhite Jan 29 at 14:47
Why not run it on a "real" IP, and filter out traffic comming from unwanted sources? That is what firewalls are for, essentially... –  vonbrand Feb 3 at 1:04

The iptables rule you are using will work, but there is one additional change you need to make:

sysctl -w net.ipv4.conf.eth0.route_localnet=1
(replacing eth0 with the nic 192.168.2.2 resides on)
By default this value is 0, which instructs the kernel to not route external traffic destined to 127.0.0.0/8. This is just for security as such traffic is not normal.

This info is surprisingly hard to find. –  Warren T. May 16 at 4:06

You can redirect to localhost but not to loopback (127.0.0.0/8). Loopback is a loophole. You have to redirect to one of your real interfaces. Try using REDIRECT.
iptables -t nat -A PREROUTING ..... -j REDIRECT --to-port 222

时间: 2025-01-17 19:52:24

iptables redirect outside requests to 127.0.0.1的相关文章

iptables不小心把127.0.0.1封了,导致redis连不上

写了个脚本扫描apache日志,自动把恶意攻击者的ip交给iptables给封掉 谁知道一不小心把127.0.0.1也给封了... 直接导致redis无法链接. redis-server服务正常启动,端口也开着,日志全都正常,就是redis客户端(redis-cli和python api)连不上,报错timeout. 一查链接状态,发现客户端是SYN_SENT,也就是“客户端发出了连接请求,等待服务端响应”. iptabls把127.0.0.1给解封后,就恢复正常了.

PHP连接数据库错误:Can't connect to MySQL server on '127.0.0.1' (13)2003

学习PHP中的.今天学习php连接数据库,代码如下:    <?php       $link = mysql_connect("127.0.0.1","root","123456");         if($link) {             echo '数据源连接成功';         }         else {             echo "数据库连接失败,请检查帐户密码".  mysql_er

localhost与127.0.0.1的区别,关键在防火墙这个问题上的解释。

localhost与127.0.0.1的区别是什么? localhost也叫local ,正确的解释是:本地服务器 127.0.0.1在windows等系统的正确解释是:本机地址(本机服务器) 他们的解析通过本机的host文件,windows自动将localhost解析为127.0.0.1 localhot(local)是不经网卡传输!这点很重要,它不受网络防火墙和网卡相关的的限制. 127.0.0.1是通过网卡传输,依赖网卡,并受到网络防火墙和网卡相关的限制. 可以解释iptables里面有

CentOS下httpd下php 连接mysql 本机可以,127.0.0.1不能访问

你看到的这个文章来自于http://www.cnblogs.com/ayanmw php代码很简单: $server="127.0.0.1"; println("Begin"); $link = mysql_connect($server,"mysql","mysql"); if (!$link) { die('Could not connect: ' . mysql_error().mysql_errno()); } lin

mac系统不能使用127.0.0.2的解决方案

英语学得不好,国外这位大神的精彩解释不是特能看的懂.我模仿的试了一下. 解决方案: 1.打开mac终端 2.输入:sudo ifconfig lo0 alias 127.1.1.1 netmask 0xFFFFFFFF 3.浏览器测试. (如果是127.0.0.2)应该就是:sudo ifconfig lo0 alias 127.0.0.2 netmask 0xFFFFFFFF 大神给予的解释: FreeBSD (also OS X, and I believe NetBSD & OpenBSD

服务监听在127.0.0.1和0.0.0.0上,到底有什么区别呢?

服务监听在127.0.0.1和0.0.0.0上,到底有什么区别呢?给个实际的例子,大家看看 今天发现在nb1380的mysql从nb1381连不上? 1.使用grant加权限,失败 mysql> select user,host,password from mysql.user; 11 rows in set (0.00 sec) mysql> grant all privileges on *.* to 'root'@'nb1381' identified by '  ' with gran

使用 IDEA 创建 Maven Web 项目 (异常)- Disconnected from the target VM, address: &#39;127.0.0.1:59770&#39;, transport: &#39;socket&#39;

运行环境: JDK 版本:1.8 Maven 版本:apache-maven-3.3.3 IDEA 版本:14 maven-jetty-plugin 配置: <plugin> <groupId>org.eclipse.jetty</groupId> <artifactId>jetty-maven-plugin</artifactId> <configuration> <webAppSourceDirectory>${pro

idea启动tomcat服务失败 SEVERE [RMI TCP Connection(3)-127.0.0.1] org.apache.catalina.core.ContainerBase.addChildInternal ContainerBase.addChild:

我的工程是从eclipse生成的,个人习惯用idea开发.重复了一遍以往正常的不能再正常了的导入配置,结果遇到了如下问题: SEVERE [RMI TCP Connection(3)-127.0.0.1] org.apache.catalina.core.ContainerBase.addChildInternal ContainerBase.addChild: start: org.apache.catalina.LifecycleException: Failed to start comp

IntelliJ运行下载的Servlet时报错 Error running Tomcat 8.5.8: Unable to open debugger port (127.0.0.1:49551): java.net.SocketException

学习Java Servlet时,从Wrox上下载了示例代码,准备run/debug时发现以下错误: Error running Tomcat 8.5.8: Unable to open debugger port (127.0.0.1:49551): java.net.SocketException "Socket closed" /Users/GuQiang/Tomcat/apache-tomcat-8.5.8/bin/catalina.sh stopUsing CATALINA_B