Ubuntu
iptables DNAT 埠轉發到區域網路上的另一台機器
我正在嘗試實現 iptables 轉發規則,以便在內部重定向來自特定埠的數據包。
我的機器在Ubuntu Server 12.04.3發行版下執行,帶有 UFW 和所有最新更新。
到目前為止,我能夠建立一個部分工作的設置,如下所示:
iptables -A PREROUTING -t nat -p tcp --dport 40591 -j DNAT --to 192.168.0.100:40591 iptables -A ufw-user-forward -p tcp -d 192.168.0.100 --dport 40591 -j ACCEPT iptables -t nat -A POSTROUTING -j MASQUERADE iptables -A ufw-user-forward -m state --state RELATED,ESTABLISHED -j ACCEPT
如該塊所示,目標收件人是192.168.0.100和埠40591。
然而,問題很快就出現了,我注意到我的 apache2 服務輸出了很多錯誤;我的 PHP 腳本不再能夠通過127.0.0.1連接到我的數據庫,因為據稱連接是從其 LAN 地址*(192.168.0.10* ) 啟動的。
為了確認問題的根源,我嘗試過:
- strace - 我的 PHP 腳本,但除了確認我已經知道的(即連接在本地啟動並神奇地轉移到伺服器的本地地址( 192.168.0.10))之外,沒有吐出任何確鑿的資訊
- 使用命令tcpdump -ing 埠 3306
tcpdump -e -i any -n -s0 tcp port 3306
tcpdump
之前(添加規則)
04:51:30.043660 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 76: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [S], seq 1373736824, win 43690, options [mss 65495,sackOK,TS val 33638495 ecr 0,nop,wscale 7], length 0 04:51:30.043679 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 76: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [S.], seq 3532787939, ack 1373736825, win 43690, options [mss 65495,sackOK,TS val 33638495 ecr 33638495,nop,wscale 7], length 0 04:51:30.043692 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [.], ack 1, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 0 04:51:30.043935 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 163: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 1:96, ack 1, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 95 04:51:30.043992 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [.], ack 96, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 0 04:51:30.044044 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 173: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 1:106, ack 96, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 105 04:51:30.044077 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [.], ack 106, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 0 04:51:30.044152 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 79: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 96:107, ack 106, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 11 04:51:30.044240 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 115: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 106:153, ack 107, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 47 04:51:30.044560 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 413: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 107:452, ack 153, win 342, options [nop,nop,TS val 33638496 ecr 33638495], length 345 04:51:30.052507 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 204: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 153:289, ack 452, win 350, options [nop,nop,TS val 33638498 ecr 33638496], length 136 04:51:30.052907 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 471: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 452:855, ack 289, win 350, options [nop,nop,TS val 33638498 ecr 33638498], length 403 04:51:30.053042 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 302: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 289:523, ack 855, win 359, options [nop,nop,TS val 33638498 ecr 33638498], length 234 04:51:30.092217 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 79: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 855:866, ack 523, win 359, options [nop,nop,TS val 33638507 ecr 33638498], length 11 04:51:30.092377 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 73: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 523:528, ack 866, win 359, options [nop,nop,TS val 33638508 ecr 33638507], length 5 04:51:30.092404 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [F.], seq 528, ack 866, win 359, options [nop,nop,TS val 33638508 ecr 33638507], length 0 04:51:30.092427 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [F.], seq 866, ack 529, win 359, options [nop,nop,TS val 33638508 ecr 33638508], length 0 04:51:30.092446 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [.], ack 867, win 359, options [nop,nop,TS val 33638508 ecr 33638508], length 0
後
04:32:38.264052 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 76: 192.168.0.10.46454 > 127.0.0.1.3306: Flags [S], seq 344014396, win 43690, options [mss 65495,sackOK,TS val 33355550 ecr 0,nop,wscale 7], length 0 04:32:38.264072 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 76: 127.0.0.1.3306 > 127.0.0.1.46454: Flags [S.], seq 1406967667, ack 344014397, win 43690, options [mss 65495,sackOK,TS val 33355550 ecr 33355550,nop,wscale 7], length 0 04:32:38.264086 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 192.168.0.10.46454 > 127.0.0.1.3306: Flags [.], ack 1406967668, win 342, options [nop,nop,TS val 33355550 ecr 33355550], length 0 04:32:38.264337 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 141: 127.0.0.1.3306 > 127.0.0.1.46454: Flags [P.], seq 1:74, ack 1, win 342, options [nop,nop,TS val 33355551 ecr 33355550], length 73 04:32:38.264388 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.3306 > 127.0.0.1.46454: Flags [F.], seq 74, ack 1, win 342, options [nop,nop,TS val 33355551 ecr 33355550], length 0 04:32:38.264450 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 192.168.0.10.46454 > 127.0.0.1.3306: Flags [.], ack 74, win 342, options [nop,nop,TS val 33355551 ecr 33355551], length 0 04:32:38.264488 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 192.168.0.10.46454 > 127.0.0.1.3306: Flags [F.], seq 0, ack 75, win 342, options [nop,nop,TS val 33355551 ecr 33355551], length 0 04:32:38.264506 In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.3306 > 127.0.0.1.46454: Flags [.], ack 2, win 342, options [nop,nop,TS val 33355551 ecr 33355551], length 0
因此,我的設置出了問題,我不太確定如何使用 iptables 規則實現穩定的、經過 NAT 的轉發設置。
所以我的問題是:是什麼導致了這個問題,我該如何解決?
謝謝。
我不清楚您是在單宿主機還是雙宿主機上執行此操作。您沒有在
iptables
規則中指定任何介面,這讓我感到困惑。在我看來,
iptables -t nat -A POSTROUTING -j MASQUERADE
規則是你的罪魁禍首。這將導致所有介面上的傳出流量被 SNAT 到介面的 IP 地址。我不認為你想要那個。您應該將該規則上的面向 Internet 的介面指定為-o
介面。