我知道對此有很多疑問,但我仍在努力使其發揮作用。
我有一個有 3 個外部 IP 的防火牆。 (為了安全起見,IP已隨機更改)
eth0 Link encap:Ethernet HWaddr 50:46:5d:64:ed:e4
inet addr:51.215.232.147 Bcast:51.215.232.159 Mask:255.255.255.240
inet6 addr: fe80::5246:5dff:fe64:ede4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:70219084 errors:0 dropped:17443 overruns:0 frame:0
TX packets:63956103 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:51508818511 (51.5 GB) TX bytes:27933240304 (27.9 GB)
eth0:1 Link encap:Ethernet HWaddr 50:46:5d:64:ed:e4
inet addr:51.215.232.148 Bcast:51.215.232.159 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0:2 Link encap:Ethernet HWaddr 50:46:5d:64:ed:e4
inet addr:51.215.232.150 Bcast:51.215.232.159 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
我有這些簡單的規則:
# Generated by iptables-save v1.4.10 on Sat Mar 3 14:48:42 2012
*filter
:INPUT ACCEPT [13766:4986720]
:FORWARD ACCEPT [992:122980]
:OUTPUT ACCEPT [11894:5582822]
-A FORWARD -s 172.16.0.0/16 -o eth0 -j ACCEPT
-A FORWARD -d 172.16.0.0/16 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Mar 3 14:48:42 2012
# Generated by iptables-save v1.4.10 on Sat Mar 3 14:48:42 2012
*nat
:PREROUTING ACCEPT [77:8206]
:INPUT ACCEPT [48:6367]
:OUTPUT ACCEPT [55:3300]
:POSTROUTING ACCEPT [55:3300]
-A POSTROUTING -s 172.16.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.10.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.1.0.0/16 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Mar 3 14:48:42 2012
所以我想將所有從 51.215.232.150 轉發到內部 IP 172.16.5.218。
所以我認為這會起作用:
iptables -t nat -I PREROUTING -p tcp -d 51.215.232.150 -j DNAT --to 172.16.5.218
但可惜沒有。
提前致謝。愛德華
答案1
通常我會說您需要相應的 FORWARD 規則才能真正允許流量通過 FILTER 表:
iptables -A FORWARD -p tcp -d 172.16.5.218 -j ACCEPT
但是您對 FORWARD 表的策略已經是 ACCEPT,沒有 REJECT 或 DROP 規則,因此應該會順利進行。
嘗試新增 TRACE 規則以查看資料包的去向:
iptables -t raw -I PREROUTING -p tcp -d 51.215.232.150 -j TRACE
另外,你測試得怎麼樣?您能看到實際到達盒子的流量嗎?
tcpdump -lnn -i eth0 host 51.215.232.150