Iptables implementation under the network limited (NTP) synchronization time custom port

# requirementsntpdate 192.168.1.1:123(192.168.1.1:666->10.0.0.1->123)ntpdaete cannot specify the port, the ntpd synchronization is 192.168.1.1:123, but because 123 cannot be accessed normally, the machine has mapped port 666 to port 123 of the back-end ntp server# Solution (time synchronization server, client configuration is as follows), because REDIRECT will access the local machine or access the port in the packet header of the host with this machine as the gateway machine from the original targetThe port is replaced with the specified target port, which does not apply in this case, only the local port is forwarded to another port on the local machine# Since this is the local traffic forwarding configuration, it does not belong to other traffic forwarded to the local machine, so configuring PREROUTING DNAT has no effect, because it will not match the rules here at all# Method 1, POSTROUTING cannot configure DNATiptables -t nat -I OUTPUT -p udp -d 192.168.1.1 --dport 123 -j DNAT --to 192.168.1.1:666# Verification (because there is no actual NTP server in the backend, it will not pass here, we only need to look at the iptables rules)[[email protected] ~]# ntpdate 192.168.1.13 Aug 11:01:34 ntpdate[1734]: no server suitable for synchronization found# iptables rule verification, through pkts, bytes here, it can be seen that the rule takes effect, and the native ntpdate 192.168.1.1:123 -> ntpdate 192.168.1.1:6666 -> (this layer of network equipment is implemented)mapping) ntpdate 10.0.0.1:123[[email protected] ~]# iptables -t nat -nvLspan>Chain OUTPUT (policy ACCEPT 15 packets, 976 bytes)pkts bytes target prot opt ​​in out source destination1 76 DNAT udp -- * * 0.0.0.0/0 192.168.1.1 udp dpt:123 to:192.168.1.1:666