Iptables

使用 iptables 防火牆的 NAT / 埠轉發

  • April 4, 2013

我有以下設置:

  • 防火牆(iptables)

    • eth0 內部介面,192.168.2.10
    • ppp0 外部介面,public_ip(IP偽裝)
  • 伺服器1(192.168.2.11),服務1(443埠)

  • server2(192.168.2.12),服務2(443埠)

  • 客戶端 1 (192.168.2.21) …

防火牆將 iptables 用於以下埠轉發規則:

  • 埠 10000 -> 192.168.2.11:443
  • 埠 10001 -> 192.168.2.12:443

這樣,可以使用公共 IP 地址和埠 10001/10002 從 Internet 訪問這兩個服務。不幸的是,client1(以及來自內部網路的其他客戶端)必須使用伺服器 IP/埠:他們可以使用 192.168.2.11:443 和 192.168.2.12:443 訪問服務,但不能使用 public_ip:10001/10002。

也許這些問題是由 INPUT 與 FORWARD 鏈在 PREROUTING 鏈行為方面的差異引起的?

我能做些什麼來改變這種情況?(我使用“Arno 的 iptables 防火牆”腳本,如果這有幫助的話。)非常感謝任何指點。

編輯:這是 iptables 配置:

iptables -nvL

Chain INPUT (policy DROP 3 packets, 156 bytes)
pkts bytes target     prot opt in     out     source               destination         
27362   13M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
482K   35M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED tcp dpts:1024:65535 
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED udp dpts:1024:65535 
1012 57505 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED 
411K   31M HOST_BLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
409K   31M MAC_FILTER  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 MAC_FILTER  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
411K   31M SPOOF_CHK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
1606  128K VALID_CHK  all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           
1179  108K EXT_INPUT_CHAIN !icmp --  ppp+   *       0.0.0.0/0            0.0.0.0/0           state NEW 
  47  2340 EXT_INPUT_CHAIN  icmp --  ppp+   *       0.0.0.0/0            0.0.0.0/0           state NEW limit: avg 60/sec burst 100 
   0     0 EXT_ICMP_FLOOD_CHAIN  icmp --  ppp+   *       0.0.0.0/0            0.0.0.0/0           state NEW 
409K   31M LAN_INPUT_CHAIN  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 LAN_INPUT_CHAIN  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Dropped INPUT packet: ' 
   0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         
   0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
98717 5423K TCPMSS     tcp  --  *      ppp+    0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
 41M   24G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
 187  9724 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED tcp dpts:1024:65535 
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED udp dpts:1024:65535 
 271 17208 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED 
125K 7842K HOST_BLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
78962 5186K MAC_FILTER  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
   0     0 MAC_FILTER  all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
46489 2656K UPNP_FORWARD  all  --  ppp+   !ppp+   0.0.0.0/0            0.0.0.0/0           
125K 7842K SPOOF_CHK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
46489 2656K VALID_CHK  all  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           
  24 19108 ACCEPT     all  --  eth0   eth0    0.0.0.0/0            0.0.0.0/0           
78938 5167K LAN_INET_FORWARD_CHAIN  all  --  eth0   ppp+    0.0.0.0/0            0.0.0.0/0           
   0     0 ACCEPT     all  --  tun0   tun0    0.0.0.0/0            0.0.0.0/0           
   0     0 LAN_INET_FORWARD_CHAIN  all  --  tun0   ppp+    0.0.0.0/0            0.0.0.0/0           
 698 41908 ACCEPT     tcp  --  ppp+   !ppp+   0.0.0.0/0            192.168.2.38        tcp dpt:22 
 118  6564 ACCEPT     tcp  --  ppp+   !ppp+   0.0.0.0/0            192.168.2.38        tcp dpt:443 
45546 2601K ACCEPT     tcp  --  ppp+   !ppp+   0.0.0.0/0            192.168.2.38        tcp dpt:8443 
   0     0 ACCEPT     tcp  --  ppp+   !ppp+   0.0.0.0/0            192.168.2.38        tcp dpt:8899 
   7   364 ACCEPT     tcp  --  ppp+   !ppp+   0.0.0.0/0            192.168.2.37        tcp dpt:22 
  15   788 ACCEPT     tcp  --  ppp+   !ppp+   0.0.0.0/0            192.168.2.41        tcp dpt:443 
 105  5464 ACCEPT     tcp  --  ppp+   !ppp+   0.0.0.0/0            192.168.2.45        tcp dpt:443 
   0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/min burst 3 LOG flags 0 level 6 prefix `Dropped FORWARD packet: ' 
   0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 5403 packets, 1746K bytes)
pkts bytes target     prot opt in     out     source               destination         
   2   120 TCPMSS     tcp  --  *      ppp+    0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
424K   66M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
437K   33M HOST_BLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `FRAGMENTED PACKET (OUT): ' 
   0     0 DROP       all  -f  *      *       0.0.0.0/0            0.0.0.0/0           
431K   31M EXT_OUTPUT_CHAIN  all  --  *      ppp+    0.0.0.0/0            0.0.0.0/0           

Chain DMZ_INET_FORWARD_CHAIN (0 references)
pkts bytes target     prot opt in     out     source               destination         

Chain DMZ_INPUT_CHAIN (0 references)
pkts bytes target     prot opt in     out     source               destination         

Chain DMZ_LAN_FORWARD_CHAIN (0 references)
pkts bytes target     prot opt in     out     source               destination         

Chain EXT_ICMP_FLOOD_CHAIN (1 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-request(ping) flood: ' 
   0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-unreachable flood: ' 
   0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 4 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-source-quench flood: ' 
   0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 4 
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-time-exceeded flood: ' 
   0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 12 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-param.-problem flood: ' 
   0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 12 
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP(other) flood: ' 
   0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain EXT_INPUT_CHAIN (2 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 6 prefix `TCP port 0 OS fingerprint: ' 
   0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:0 limit: avg 6/hour burst 1 LOG flags 0 level 6 prefix `UDP port 0 OS fingerprint: ' 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:0 
   0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:0 
   0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 6 prefix `TCP source port 0: ' 
   0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:0 limit: avg 6/hour burst 5 LOG flags 0 level 6 prefix `UDP source port 0: ' 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:0 
   0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:0 
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68 
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
   0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1194 
   0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194 
  31  1472 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix `ICMP-request: ' 
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-unreachable: ' 
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 4 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-source-quench: ' 
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-time-exceeded: ' 
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 12 limit: avg 12/hour burst 1 LOG flags 0 level 6 prefix `ICMP-param.-problem: ' 
  53  8304 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1024:65535 flags:!0x17/0x02 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth scan (UNPRIV)?: ' 
   0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:0:1023 flags:!0x17/0x02 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth scan (PRIV)?: ' 
  85 17495 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 
 167  9228 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix `Connection attempt (PRIV): ' 
  18  1193 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:0:1023 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix `Connection attempt (PRIV): ' 
 481 22848 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1024:65535 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix `Connection attempt (UNPRIV): ' 
 172 44040 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:1024:65535 limit: avg 6/min burst 2 LOG flags 0 level 6 prefix `Connection attempt (UNPRIV): ' 
 870 43344 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
 224 47492 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           
  47  2340 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
   0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/min burst 5 LOG flags 0 level 6 prefix `Other-IP connection attempt: ' 
   0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain EXT_OUTPUT_CHAIN (1 references)
pkts bytes target     prot opt in     out     source               destination         
431K   31M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain HOST_BLOCK (3 references)
pkts bytes target     prot opt in     out     source               destination         

Chain INET_DMZ_FORWARD_CHAIN (0 references)
pkts bytes target     prot opt in     out     source               destination         

Chain LAN_INET_FORWARD_CHAIN (2 references)
pkts bytes target     prot opt in     out     source               destination         
 354 21240 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 20/sec burst 100 
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix `ICMP-request: ' 
   0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
78584 5145K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LAN_INPUT_CHAIN (2 references)
pkts bytes target     prot opt in     out     source               destination         
18741 1705K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 20/sec burst 100 
   0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix `ICMP-request: ' 
   0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
390K   30M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain MAC_FILTER (4 references)
pkts bytes target     prot opt in     out     source               destination         

Chain RESERVED_NET_CHK (0 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 LOG        all  --  *      *       10.0.0.0/8           0.0.0.0/0           limit: avg 1/min burst 1 LOG flags 0 level 6 prefix `Class A address: ' 
   0     0 LOG        all  --  *      *       172.16.0.0/12        0.0.0.0/0           limit: avg 1/min burst 1 LOG flags 0 level 6 prefix `Class B address: ' 
   0     0 LOG        all  --  *      *       192.168.0.0/16       0.0.0.0/0           limit: avg 1/min burst 1 LOG flags 0 level 6 prefix `Class C address: ' 
   0     0 LOG        all  --  *      *       169.254.0.0/16       0.0.0.0/0           limit: avg 1/min burst 1 LOG flags 0 level 6 prefix `Class M$ address: ' 
   0     0 DROP       all  --  *      *       10.0.0.0/8           0.0.0.0/0           
   0     0 DROP       all  --  *      *       172.16.0.0/12        0.0.0.0/0           
   0     0 DROP       all  --  *      *       192.168.0.0/16       0.0.0.0/0           
   0     0 DROP       all  --  *      *       169.254.0.0/16       0.0.0.0/0           

Chain SPOOF_CHK (2 references)
pkts bytes target     prot opt in     out     source               destination         
488K   37M RETURN     all  --  eth0   *       192.168.2.0/24       0.0.0.0/0           
   0     0 RETURN     all  --  tun0   *       192.168.2.0/24       0.0.0.0/0           
   0     0 LOG        all  --  *      *       192.168.2.0/24       0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Spoofed packet: ' 
   0     0 DROP       all  --  *      *       192.168.2.0/24       0.0.0.0/0           
48223 2834K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain UPNP_FORWARD (1 references)
pkts bytes target     prot opt in     out     source               destination         

Chain VALID_CHK (2 references)
pkts bytes target     prot opt in     out     source               destination         
   0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth XMAS scan: ' 
   0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x37 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth XMAS-PSH scan: ' 
   0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth XMAS-ALL scan: ' 
   0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x01 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth FIN scan: ' 
   0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth SYN/RST scan: ' 
   0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth SYN/FIN scan(?): ' 
   0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `Stealth Null scan: ' 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x37 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x01 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 
   0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp option=64 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix `Bad TCP flag(64): ' 
   0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp option=128 limit: avg 3/min burst 1 LOG flags 0 level 6 prefix `Bad TCP flag(128): ' 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp option=64 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp option=128 
 380 17623 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
   0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 1 LOG flags 0 level 4 prefix `Fragmented packet: ' 
   0     0 DROP       all  -f  *      *       0.0.0.0/0            0.0.0.0/0           

iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 428K packets, 31M bytes)
pkts bytes target     prot opt in     out     source               destination         
 697 41688 DNAT       tcp  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 to:192.168.2.38 
 118  6564 DNAT       tcp  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:192.168.2.38 
45542 2601K DNAT       tcp  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8443 to:192.168.2.38 
   0     0 DNAT       tcp  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8899 to:192.168.2.38 
   7   364 DNAT       tcp  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:222 to:192.168.2.37:22 
  15   788 DNAT       tcp  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8082 to:192.168.2.41:443 
 105  5464 DNAT       tcp  --  ppp+   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8083 to:192.168.2.45:443 

Chain POSTROUTING (policy ACCEPT 479K packets, 34M bytes)
pkts bytes target     prot opt in     out     source               destination         
49079 2610K TCPMSS     tcp  --  *      ppp+    0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
62427 3638K MASQUERADE  all  --  *      ppp+    192.168.2.0/24      !192.168.2.0/24      

Chain OUTPUT (policy ACCEPT 432K packets, 31M bytes)
pkts bytes target     prot opt in     out     source               destination         

謝謝,搜尋“Hairpin NAT”的提示幫助我解決了我的問題。對於其他感興趣的使用者,這裡有一些神奇的規則:

iptables -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 443 -j DNAT --to-destination $OFFICE
iptables -t nat -A POSTROUTING -s $INT_NET -d $SERVER-p tcp --dport 443 -j SNAT --to-source $FIREWALL

謝謝你的幫助!

引用自:https://serverfault.com/questions/495823