当防火墙snat上网
1 2 3 4 |
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j SNAT --to 121.201.111.22 # NAT iptables -t nat -I POSTROUTING -j MASQUERADE |
# 以下端口映射,可以显示客户的真实IP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
iptables -t nat -I PREROUTING -d 12.20.11.22 -p tcp --dport 3151 -j DNAT --to-destination 192.168.122.151:3389 iptables -t nat -I POSTROUTING -o eth0 -s 192.168.10.210 -p tcp --sport 80 -j SNAT --to-source 12.20.11.22:80 iptables -t nat -I PREROUTING -d 12.20.11.22 -p tcp --dport 443 -j DNAT --to-destination 192.168.10.210:443 iptables -t nat -I POSTROUTING -o eth0 -s 192.168.10.210 -p tcp --sport 443 -j SNAT --to-source 12.20.11.22:443 iptables -t nat -I PREROUTING -d 192.168.134.2 -j DNAT --to-destination 192.168.10.146 iptables -t nat -I POSTROUTING -s 192.168.10.146 -j SNAT --to-source 192.168.10.1 iptables -t nat -I POSTROUTING -s 192.168.10.146 -j SNAT --to-source 10.10.10.2 iptables -t nat -I POSTROUTING -s 192.168.11.2 -p tcp --sport 443 -j SNAT --to-source 12.20.11.22:1443 iptables -t nat -I POSTROUTING -s 192.168.122.151 -j SNAT --to 121.201.111.38 iptables -t nat -A POSTROUTING -s 192.168.10.141 -j SNAT --to 121.201.111.26 |
# socks 代理做透明代理
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
iptables -t nat -N SOCKS iptables -t nat -A SOCKS -p tcp --dport 80,443 -j REDIRECT --to-ports 1080 iptables -t nat -A SOCKS -p tcp -s 192.168.10.128 -j REDIRECT --to-ports 10128 iptables -t nat -A SOCKS -p tcp -s 192.168.10.133 -j REDIRECT --to-ports 10133 iptables -t nat -A OUTPUT -p tcp -j SOCKS iptables -t nat -I PREROUTING -p tcp -j SOCKS iptables -t nat -A SOCKS -p tcp --dport 80 -j REDIRECT --to-port 8484 iptables -t nat -I PREROUTING -p tcp --dport 3001:3240 -j DNAT --to-destination 192.168.122.151:3389 iptables -t nat -I PREROUTING -p tcp --dport 3001:3240 -j DNAT --to 23.234.230.226:3001-3240 iptables -t mangle -A PREROUTING -s 172.16.1.0/24 -p tcp -m set --match-set gfwlist dst -j MARK --set-mark 20 ip rule add fwmark 20 table 20 ip route add 0.0.0.0/0 via tun0 table 20 |
# sysctl 配置
1 2 3 |
echo 1 > /proc/sys/net/ipv4/ip_forward for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $f ; done echo 0 > /proc/sys/net/ipv4/route/flush |
根据IP地址,协议,目的IP,源IP,端口号做策略路由, 如下的 tun0 为 openvpn 连接到其他vpn服务器的网卡, 这个可以自己设置成另外的其他网卡.
1 2 3 4 |
/usr/sbin/iptables -t mangle -I PREROUTING -s 10.66.74.21 -p tcp -j MARK --set-mark 20 /usr/sbin/iptables -t nat -I POSTROUTING -s 10.66.74.21 -j MASQUERADE /sbin/ip rule add fwmark 20 table 20 /sbin/ip route rep default dev tun0 table 20 |
以上命令, 必须要配合如下命令方可生效,具体原理我也没办法分析,反正如果不加就不行
1 |
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done |