Linux

iptables 將埠從 ext 網路轉發到 int

  • July 20, 2016

我在 iface eth0 上有 2 個 IP 地址:

eth0      Link encap:Ethernet  HWaddr 00:19:99:a4:14:08  
         inet addr:85.25.152.115  Bcast:85.25.152.255  Mask:255.255.255.0
         inet6 addr: fe80::219:99ff:fea4:1408/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:233866 errors:0 dropped:0 overruns:0 frame:0
         TX packets:145186 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000 
         RX bytes:175800889 (167.6 MiB)  TX bytes:38033903 (36.2 MiB)
         Interrupt:18 

eth0:1    Link encap:Ethernet  HWaddr 00:19:99:a4:14:08  
         inet addr:85.25.248.216  Bcast:85.25.248.255  Mask:255.255.255.192
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         Interrupt:18 

我有一個用於virtualbox guest的內部虛擬iface:

tap0      Link encap:Ethernet  HWaddr ae:ba:ce:d7:7d:bd  
         inet addr:10.0.1.1  Bcast:10.255.255.255  Mask:255.0.0.0
         inet6 addr: fe80::acba:ceff:fed7:7dbd/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:0 errors:0 dropped:0 overruns:0 frame:0
         TX packets:0 errors:0 dropped:111 overruns:0 carrier:0
         collisions:0 txqueuelen:500 
         RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

10.0.1.1 是 VM (10.0.1.2) 的 GW。從 10.0.1.2 到 Internet 的轉發工作完美,但是當我嘗試將所有埠從 85.25.248.216 (eth0:1) 重定向到 10.0.1.2 時,它失敗了:

iptables -t nat -A PREROUTING -d 85.25.248.216 -j DNAT --to-destination 10.0.1.2
nmap -A -v 85.25.248.216
<...>
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 5.8p1 Debian 4 (protocol 2.0)
| ssh-hostkey: 1024 4e:3e:ce:86:24:f8:54:7a:68:67:be:57:92:62:00:f0 (DSA)
|_2048 36:f5:0d:4c:1b:58:b8:f9:ff:0f:47:ba:88:43:69:bd (RSA)
10000/tcp open  http    MiniServ 1.540 (Webmin httpd)
|_html-title: Site doesn't have a title (text/html).
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.19 - 2.6.31

india827:~# iptables --list -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  anywhere             static-ip-85-25-248-216.inaddr.intergenia.de to:10.0.1.2 
DNAT       tcp  --  anywhere             static-ip-85-25-248-216.inaddr.intergenia.de tcp dpt:3389 to:10.0.1.2 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  anywhere             static-ip-85-25-248-216.inaddr.intergenia.de to:10.0.1.2 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere            
SNAT       all  --  anywhere             anywhere            to:85.25.248.216 

虛擬機在 Windows 上,至少必須打開 3389 (RDP),但我(當然!)也無法連接到它。錯誤在哪裡?

新規則:

iptables -t nat -A PREROUTING -d 85.25.248.216 -j DNAT --to-destination 10.0.1.2
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate NEW -d 10.0.1.2 -j ACCEPT

結果是一樣的……

iptables 命令是正確的,因此它必須是上下文中的某些內容。我會嘗試猜測。

未啟用 IP 轉發。

cat /proc/sys/net/ipv4/ip_forward

應該給出一個值1。如果沒有,則將其設置為1

echo 1 > /proc/sys/net/ipv4/ip_forward

您正在 SNATing 10.0.1.2 到 85.25.152.115 的出路

iptables --list -t nat

應該揭示這一點。

為什麼不直接使用 Virtualbox NAT 轉發?

http://www.virtualbox.org/manual/ch06.html#natforward

然後只需調整 iptables 以打開主機埠。你已經在 Virtualbox 中執行了一個 NAT 路由器,為什麼要執行兩個?

引用自:https://serverfault.com/questions/256508