Recently I wanted to upgrade my Minecraft player. I plan to use different server for different player. I’ve tried to check how does my home’s DD-WRT works on port forwarding. And I got the result. I could use port forwarding in iptables control player source ip connect different server.

So this is my iptables rule

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
logaccept tcp -- 0.0.0.0/0 192.168.1.1 tcp dpt:23
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
DROP 2 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
logaccept 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
DROP 0 -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT 47 -- 192.168.1.0/24 0.0.0.0/0
ACCEPT tcp -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:1723
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
lan2wan 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 192.168.1.131 tcp dpt:25565
ACCEPT udp -- 0.0.0.0/0 192.168.1.131 udp dpt:25565
ACCEPT tcp -- 0.0.0.0/0 192.168.1.131 tcp dpt:80
ACCEPT udp -- 0.0.0.0/0 192.168.1.131 udp dpt:80
ACCEPT tcp -- 0.0.0.0/0 192.168.1.131 tcp dpt:443
ACCEPT udp -- 0.0.0.0/0 192.168.1.131 udp dpt:443
ACCEPT tcp -- 0.0.0.0/0 192.168.1.131 tcp dpt:548
ACCEPT udp -- 0.0.0.0/0 192.168.1.131 udp dpt:548
ACCEPT tcp -- 0.0.0.0/0 192.168.1.1 tcp dpt:80
ACCEPT udp -- 0.0.0.0/0 192.168.1.1 udp dpt:80
ACCEPT tcp -- 0.0.0.0/0 192.168.1.1 tcp dpt:443
ACCEPT udp -- 0.0.0.0/0 192.168.1.1 udp dpt:443
ACCEPT tcp -- 0.0.0.0/0 192.168.1.131 tcp dpt:22
ACCEPT udp -- 0.0.0.0/0 192.168.1.131 udp dpt:22
ACCEPT tcp -- 0.0.0.0/0 192.168.1.133 tcp dpt:51413
ACCEPT udp -- 0.0.0.0/0 192.168.1.133 udp dpt:51413
ACCEPT tcp -- 0.0.0.0/0 192.168.1.133 tcp dpt:9091
ACCEPT udp -- 0.0.0.0/0 192.168.1.133 udp dpt:9091
ACCEPT tcp -- 0.0.0.0/0 192.168.1.131 tcp dpt:8123
ACCEPT udp -- 0.0.0.0/0 192.168.1.131 udp dpt:8123
ACCEPT tcp -- 0.0.0.0/0 192.168.1.141 tcp dpt:6699
ACCEPT udp -- 0.0.0.0/0 192.168.1.141 udp dpt:6699
TRIGGER 0 -- 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
trigger_out 0 -- 0.0.0.0/0 0.0.0.0/0
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0 state NEW
DROP 0 -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain advgrp_1 (0 references)
target prot opt source destination

Chain advgrp_10 (0 references)
target prot opt source destination

Chain advgrp_2 (0 references)
target prot opt source destination

Chain advgrp_3 (0 references)
target prot opt source destination

Chain advgrp_4 (0 references)
target prot opt source destination

Chain advgrp_5 (0 references)
target prot opt source destination

Chain advgrp_6 (0 references)
target prot opt source destination

Chain advgrp_7 (0 references)
target prot opt source destination

Chain advgrp_8 (0 references)
target prot opt source destination

Chain advgrp_9 (0 references)
target prot opt source destination

Chain grp_1 (0 references)
target prot opt source destination

Chain grp_10 (0 references)
target prot opt source destination

Chain grp_2 (0 references)
target prot opt source destination

Chain grp_3 (0 references)
target prot opt source destination

Chain grp_4 (0 references)
target prot opt source destination

Chain grp_5 (0 references)
target prot opt source destination

Chain grp_6 (0 references)
target prot opt source destination

Chain grp_7 (0 references)
target prot opt source destination

Chain grp_8 (0 references)
target prot opt source destination

Chain grp_9 (0 references)
target prot opt source destination

Chain lan2wan (1 references)
target prot opt source destination

Chain logaccept (2 references)
target prot opt source destination
ACCEPT 0 -- 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
target prot opt source destination
DROP 0 -- 0.0.0.0/0 0.0.0.0/0

Chain logreject (0 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp reject-with tcp-reset

Chain trigger_out (1 references)
target prot opt source destination

The only useful in this table is FORWARD

The rule is looks like that

iptables -t nat -I PREROUTING -p tcp -d 192.168.1.1 --dport 10001 -j DNAT --to 192.168.1.131:10002
iptables -I FORWARD -p tcp -d 192.168.1.131 --dport 10002 -j ACCEPT

You should know that you cannot use 127.0.0.1 instead of 192.168.1.1

So in my testing server, I want to forward 192.168.1.133 user play 192.168.1.131:10002 port game. All another player will auto connect my 192.168.1.131:10001

The rule should be like that in my Linux server

iptables -t nat -I PREROUTING -p tcp -s 192.168.1.133 -d 192.168.1.131 --dport 10001 -j DNAT --to 192.168.1.131:10002
iptables -I FORWARD -p tcp -s 192.168.1.133 -d 192.168.1.131 --dport 10002 -j ACCEPT

Test Success.

The script

#!/bin/sh
iptables -t nat -I PREROUTING -p tcp -s $1 -d $2 --dport $3 -j DNAT --to $2:$4
iptables -I FORWARD -p tcp -s $1 -d $2 --dport $3 -j ACCEPT

$1: source ip
$2: server ip
$3: service port
$4: forward port

So Now I can make my Chinese player play my Chinese server and US player play US server. The server could automatic choose server depends on region.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>