공용 NAT 1:1 IP로의 트래픽이 로컬 LAN 네트워크에서 차단되었습니다.

tag-icon tag-icon iptables nat port-forwarding
공용 NAT 1:1 IP로의 트래픽이 로컬 LAN 네트워크에서 차단되었습니다.

다음과 같은 네트워크 구성이 있습니다.

xxx.xxx.xxx.xxx -> nat 1:1 -> 192.168.0.2 -> 80 port forward -> 192.168.0.10
       ^                           ^                                 ^
       |                           |                                 |
    internet                      VM1                               VM2

공용 장치(예: 내 휴대폰)에서 xxx.xxx.xxx.xxx:80에 액세스하려고 하면 모두 잘 작동하므로 192.168.0.10:80에서 웹 페이지를 얻습니다.

문제는:LAN 클라이언트(예: VM1의 동일한 네트워크에 있는 192.168.0.150)에서 xxx.xxx.xxx.xxx:80에 액세스하려고 하면 웹 서버(192.168.0.10:80)에 연결할 수 없으며 연결 시간이 초과됩니다.

구성은 다음과 같습니다.

VM1 whith dev ens32 -> 192.168.0.2
net.ipv4.ip_forward=1
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t nat -A PREROUTING -p tcp -i ens32 --dport 80  -j DNAT --to-destination 192.168.0.10:80
/sbin/iptables -t nat -A PREROUTING -p tcp -i ens32 --dport 443 -j DNAT --to-destination 192.168.0.10:443
/sbin/iptables -A FORWARD -p tcp -d 192.168.0.10 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -d 192.168.0.10 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o ens32 -j MASQUERADE

업데이트:클라이언트(192.168.0.150)에서 이루어진 요청의 기록된 tcpdump 추적

16:48:16.227785 IP 192.168.0.150.47391 > 192.168.0.2.https: Flags [S], seq 3088549798, win 65535, options [mss 1460,sackOK,TS val 126143387 ecr 0,nop,wscale 9], length 0
16:48:16.227869 IP 192.168.0.2.47391 > 192.168.0.10.https: Flags [S], seq 3088549798, win 65535, options [mss 1460,sackOK,TS val 126143387 ecr 0,nop,wscale 9], length 0
16:48:16.228268 IP 192.168.0.10.https > 192.168.0.2.47391: Flags [S.], seq 371329525, ack 3088549799, win 28960, options [mss 1460,sackOK,TS val 378079 ecr 126143387,nop,wscale 7], length 0
16:48:16.228296 IP 192.168.0.2.https > 192.168.0.150.47391: Flags [S.], seq 371329525, ack 3088549799, win 28960, options [mss 1460,sackOK,TS val 378079 ecr 126143387,nop,wscale 7], length 0
16:48:16.234087 IP 192.168.0.150.47391 > 192.168.0.2.https: Flags [R], seq 3088549799, win 0, length 0
16:48:16.234113 IP 192.168.0.2.47391 > 192.168.0.10.https: Flags [R], seq 3088549799, win 0, length 0
16:48:16.466921 IP 192.168.0.150.47393 > 192.168.0.2.https: Flags [S], seq 1316556207, win 65535, options [mss 1460,sackOK,TS val 126143412 ecr 0,nop,wscale 9], length 0
16:48:16.466969 IP 192.168.0.2.47393 > 192.168.0.10.https: Flags [S], seq 1316556207, win 65535, options [mss 1460,sackOK,TS val 126143412 ecr 0,nop,wscale 9], length 0
16:48:16.467335 IP 192.168.0.10.https > 192.168.0.2.47393: Flags [S.], seq 1172572926, ack 1316556208, win 28960, options [mss 1460,sackOK,TS val 378138 ecr 126143412,nop,wscale 7], length 0
16:48:16.467360 IP 192.168.0.2.https > 192.168.0.150.47393: Flags [S.], seq 1172572926, ack 1316556208, win 28960, options [mss 1460,sackOK,TS val 378138 ecr 126143412,nop,wscale 7], length 0
16:48:16.469625 IP 192.168.0.150.47393 > 192.168.0.2.https: Flags [R], seq 1316556208, win 0, length 0
16:48:16.469642 IP 192.168.0.2.47393 > 192.168.0.10.https: Flags [R], seq 1316556208, win 0, length 0
16:48:17.211348 IP 192.168.0.150.47391 > 192.168.0.2.https: Flags [S], seq 3088549798, win 65535, options [mss 1460,sackOK,TS val 126143487 ecr 0,nop,wscale 9], length 0
16:48:17.211406 IP 192.168.0.2.47391 > 192.168.0.10.https: Flags [S], seq 3088549798, win 65535, options [mss 1460,sackOK,TS val 126143487 ecr 0,nop,wscale 9], length 0
16:48:17.211783 IP 192.168.0.10.https > 192.168.0.2.47391: Flags [S.], seq 386696842, ack 3088549799, win 28960, options [mss 1460,sackOK,TS val 378324 ecr 126143487,nop,wscale 7], length 0
16:48:17.211807 IP 192.168.0.2.https > 192.168.0.150.47391: Flags [S.], seq 386696842, ack 3088549799, win 28960, options [mss 1460,sackOK,TS val 378324 ecr 126143487,nop,wscale 7], length 0
16:48:17.214283 IP 192.168.0.150.47391 > 192.168.0.2.https: Flags [R], seq 3088549799, win 0, length 0
16:48:17.214301 IP 192.168.0.2.47391 > 192.168.0.10.https: Flags [R], seq 3088549799, win 0, length 0
16:48:17.472667 IP 192.168.0.150.47393 > 192.168.0.2.https: Flags [S], seq 1316556207, win 65535, options [mss 1460,sackOK,TS val 126143512 ecr 0,nop,wscale 9], length 0
16:48:17.472717 IP 192.168.0.2.47393 > 192.168.0.10.https: Flags [S], seq 1316556207, win 65535, options [mss 1460,sackOK,TS val 126143512 ecr 0,nop,wscale 9], length 0
16:48:17.473002 IP 192.168.0.10.https > 192.168.0.2.47393: Flags [S.], seq 1188287718, ack 1316556208, win 28960, options [mss 1460,sackOK,TS val 378390 ecr 126143512,nop,wscale 7], length 0
16:48:17.473017 IP 192.168.0.2.https > 192.168.0.150.47393: Flags [S.], seq 1188287718, ack 1316556208, win 28960, options [mss 1460,sackOK,TS val 378390 ecr 126143512,nop,wscale 7], length 0
16:48:17.476317 IP 192.168.0.150.47393 > 192.168.0.2.https: Flags [R], seq 1316556208, win 0, length 0
16:48:17.476343 IP 192.168.0.2.47393 > 192.168.0.10.https: Flags [R], seq 1316556208, win 0, length 0

관련 정보