Linux
iptables 將埠從 ext 網路轉發到 int
我在 iface eth0 上有 2 個 IP 地址:
eth0 Link encap:Ethernet HWaddr 00:19:99:a4:14:08 inet addr:85.25.152.115 Bcast:85.25.152.255 Mask:255.255.255.0 inet6 addr: fe80::219:99ff:fea4:1408/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:233866 errors:0 dropped:0 overruns:0 frame:0 TX packets:145186 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:175800889 (167.6 MiB) TX bytes:38033903 (36.2 MiB) Interrupt:18 eth0:1 Link encap:Ethernet HWaddr 00:19:99:a4:14:08 inet addr:85.25.248.216 Bcast:85.25.248.255 Mask:255.255.255.192 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:18
我有一個用於virtualbox guest的內部虛擬iface:
tap0 Link encap:Ethernet HWaddr ae:ba:ce:d7:7d:bd inet addr:10.0.1.1 Bcast:10.255.255.255 Mask:255.0.0.0 inet6 addr: fe80::acba:ceff:fed7:7dbd/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:111 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
10.0.1.1 是 VM (10.0.1.2) 的 GW。從 10.0.1.2 到 Internet 的轉發工作完美,但是當我嘗試將所有埠從 85.25.248.216 (eth0:1) 重定向到 10.0.1.2 時,它失敗了:
iptables -t nat -A PREROUTING -d 85.25.248.216 -j DNAT --to-destination 10.0.1.2 nmap -A -v 85.25.248.216 <...> PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.8p1 Debian 4 (protocol 2.0) | ssh-hostkey: 1024 4e:3e:ce:86:24:f8:54:7a:68:67:be:57:92:62:00:f0 (DSA) |_2048 36:f5:0d:4c:1b:58:b8:f9:ff:0f:47:ba:88:43:69:bd (RSA) 10000/tcp open http MiniServ 1.540 (Webmin httpd) |_html-title: Site doesn't have a title (text/html). Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.19 - 2.6.31 india827:~# iptables --list -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT all -- anywhere static-ip-85-25-248-216.inaddr.intergenia.de to:10.0.1.2 DNAT tcp -- anywhere static-ip-85-25-248-216.inaddr.intergenia.de tcp dpt:3389 to:10.0.1.2 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DNAT all -- anywhere static-ip-85-25-248-216.inaddr.intergenia.de to:10.0.1.2 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere SNAT all -- anywhere anywhere to:85.25.248.216
虛擬機在 Windows 上,至少必須打開 3389 (RDP),但我(當然!)也無法連接到它。錯誤在哪裡?
新規則:
iptables -t nat -A PREROUTING -d 85.25.248.216 -j DNAT --to-destination 10.0.1.2 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m conntrack --ctstate NEW -d 10.0.1.2 -j ACCEPT
結果是一樣的……
iptables 命令是正確的,因此它必須是上下文中的某些內容。我會嘗試猜測。
未啟用 IP 轉發。
cat /proc/sys/net/ipv4/ip_forward
應該給出一個值1。如果沒有,則將其設置為1
echo 1 > /proc/sys/net/ipv4/ip_forward
您正在 SNATing 10.0.1.2 到 85.25.152.115 的出路
iptables --list -t nat
應該揭示這一點。
為什麼不直接使用 Virtualbox NAT 轉發?
http://www.virtualbox.org/manual/ch06.html#natforward
然後只需調整 iptables 以打開主機埠。你已經在 Virtualbox 中執行了一個 NAT 路由器,為什麼要執行兩個?