While doing a server migration, it happens that some traffic still go to the old machine because the DNS servers are not yet synced or simply because some people are using the IP address instead of the domain name....
如果进行了服务器迁移,有可能会发生的情况是仍然会有许多到旧设备的连接,原因可能是DNS服务器没有同步,也可能有的人用ip地址进行连接……
By using iptables and its masquerade feature, it is possible to forward all traffic to the old server to the new IP.
通过使用iptables和masquerade ,就可能将原本到旧设备的连接转发到新的ip地址。
This tutorial will show which command lines are required to make this possible.
这篇教程将展示如何通过命令行就能实现种功能。
In this article, it is assumed that you do not have iptables running, or at least no nat table rules for chain PREROUTING and POSTROUTING.
这篇文章里假设你没有运行iptables,或者至少没有nat表在PREROUTING 和POSTROUTING链。
The first thing to do is do enable IP forwarding. This is done either by using:
首先需要开启ip转发功能。这是通过下面实现的:
# echo "1" > /proc/sys/net/ipv4/ip_forward
or
# sysctl net.ipv4.ip_forward=1
Then, we will add a rule telling to forward the traffic on port 1111 to ip 2.2.2.2 on port 1111:
然后,增加下面的规则,将目的端口为1111的包修改目的地址为2.2.2.2,目的端口1111
# iptables -t nat -A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 2.2.2.2:1111
and finally, we ask IPtables to masquerade:
然后我们让iptables进行ip欺骗
iptables -t nat -A POSTROUTING -j MASQUERADE
Optionally, you could only redirect the traffic from a specific source/network with, for a host only:
另一种方式是,只重定向指定源地址,或源网络的包
# iptables -t nat -A PREROUTING -s 192.168.1.1 -p tcp --dport 1111 -j DNAT --to-destination 2.2.2.2:1111
or for a whole network
# iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 1111 -j DNAT --to-destination 2.2.2.2:1111
that's it, now the traffic to port 1111 will be redirected to IP 2.2.2.2 .
If you go on host 2.2.2.2, you should see a lot of traffic coming from the host doing the redirection.
好了,现在发往端口1111的包被重定向到2.2.2.2