centos in the NAT iptable

CentOS5.3 NAT anyway neither reference n configuration methods to no avail.


Think it is a problem with the operating system, and 6.6, there is a configuration of the graphical boot interface, very easy to get.


Later found in English Web page


echo “1” > /proc/sys/net/ipv4/ip_forward


So that you can have. Looking for more place, finally know when this is in the OS system does not forward traffic by default, forces the forwarding method.


System forwards need to modify the configuration file as usual.






net.ipv4.ip_forward = 1


Does not work because the default value is 0,disable, switch 1 is enable.


sysctl -p


Update, restart can also, of course.


chkconfig iptables on


Normal open the firewall, as a service.


Then/etc/sysconfig/iptables the configuration file.


Using the add command is implemented here eth0 for the outside, eth1 for the internal


iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


This is external not internal restrictions, the external IP address of the network adapter for DHCP is useful.


iptables -t nat -A POSTROUTING -s -j SNAT –to-source


This is an internal network and to the outside, replace the source address of


External access to internal servers, such as remote desktop


iptables -t nat PREROUTING -i eth0 -p tcp –dport 3389 -j DNAT –to-destination


-I entry of eth0 is the network card, input I mean;-p TCP, the Protocol is TCP;–dport 3389 port number is 3389,–to-destination is the internal server IP address


Only this was not enough, above is the NAT table,-t table is specified,


In the filter table also need to be configured


iptables -t filter -A FORWARD -i eth0 -m state –state NEW -m tcp -p tcp -d –dport 3389 -j ACCEPT


Not release to the internal flow in the forward link is no good. Why the-d is, because in front of the PREROUTING NAT table has been NAT routing, reach FORWARD when dealing with processes, destination address from the NIC IP addresses to enter of course can only be used in intranet intranet IP address filtering.


To forward traffic permits


iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT


Do not use the firewall system with graphic configuration using RH-Firewall-1-INPUT, get all messed up.


5.3 speed is very slow, remote desktop, images are fixed, see 5.3 default letter forwarded for a reason.


6.6 no problem, speed is also acceptable.


Here are a few network configuration commands


If there is only one network card, added later, then only the




No ifcfg-eth1, you can copy the ifcfg-eth0 to ifcfg-eth1, and then modify the contents.


Need network adapter hardware to view file




Confirm that there are new network card, write down MAC address,




NAME=”System eth1″


Modification, IP address, mask, and HWADDR is the MAC address, if the version is higher, UUID, and eth0 can be modified.


No gateway for network cards. PREFIX is the prefix, and the mask is a different wording. OS version, 5 writing NETMASK,6 is the PREFIX


iptables -F


Clears all the rules in the default table filter chain rules


iptables -X


Clear the default table filter user custom rule in the chain


/Etc/rc.d/init.d/iptables save or if service iptables save


Save command in the configuration, or restart no


service iptables restart


Restart services