Ubuntu

iptables DNAT 埠轉發到區域網路上的另一台機器

  • January 28, 2014

我正在嘗試實現 iptables 轉發規則,以便在內部重定向來自特定埠的數據包。

我的機器在Ubuntu Server 12.04.3發行版下執行,帶有 UFW 和所有最新更新。

到目前為止,我能夠建立一個部分工作的設置,如下所示:

iptables -A PREROUTING -t nat -p tcp --dport 40591 -j DNAT --to 192.168.0.100:40591
iptables -A ufw-user-forward -p tcp -d 192.168.0.100 --dport 40591 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A ufw-user-forward -m state --state RELATED,ESTABLISHED -j ACCEPT

如該塊所示,目標收件人是192.168.0.100和埠40591

然而,問題很快就出現了,我注意到我的 apache2 服務輸出了很多錯誤;我的 PHP 腳本不再能夠通過127.0.0.1連接到我的數據庫,因為據稱連接是從其 LAN 地址*(192.168.0.10* ) 啟動的。

為了確認問題的根源,我嘗試過:

  1. strace - 我的 PHP 腳本,但除了確認我已經知道的(即連接在本地啟動並神奇地轉移到伺服器的本地地址( 192.168.0.10))之外,沒有吐出任何確鑿的資訊
  2. 使用命令tcpdump -ing 埠 3306tcpdump -e -i any -n -s0 tcp port 3306

tcpdump

之前(添加規則)

04:51:30.043660  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 76: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [S], seq 1373736824, win 43690, options [mss 65495,sackOK,TS val 33638495 ecr 0,nop,wscale 7], length 0
04:51:30.043679  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 76: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [S.], seq 3532787939, ack 1373736825, win 43690, options [mss 65495,sackOK,TS val 33638495 ecr 33638495,nop,wscale 7], length 0
04:51:30.043692  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [.], ack 1, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 0
04:51:30.043935  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 163: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 1:96, ack 1, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 95
04:51:30.043992  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [.], ack 96, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 0
04:51:30.044044  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 173: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 1:106, ack 96, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 105
04:51:30.044077  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [.], ack 106, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 0
04:51:30.044152  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 79: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 96:107, ack 106, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 11
04:51:30.044240  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 115: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 106:153, ack 107, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 47
04:51:30.044560  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 413: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 107:452, ack 153, win 342, options [nop,nop,TS val 33638496 ecr 33638495], length 345
04:51:30.052507  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 204: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 153:289, ack 452, win 350, options [nop,nop,TS val 33638498 ecr 33638496], length 136
04:51:30.052907  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 471: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 452:855, ack 289, win 350, options [nop,nop,TS val 33638498 ecr 33638498], length 403
04:51:30.053042  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 302: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 289:523, ack 855, win 359, options [nop,nop,TS val 33638498 ecr 33638498], length 234
04:51:30.092217  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 79: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 855:866, ack 523, win 359, options [nop,nop,TS val 33638507 ecr 33638498], length 11
04:51:30.092377  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 73: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 523:528, ack 866, win 359, options [nop,nop,TS val 33638508 ecr 33638507], length 5
04:51:30.092404  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [F.], seq 528, ack 866, win 359, options [nop,nop,TS val 33638508 ecr 33638507], length 0
04:51:30.092427  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [F.], seq 866, ack 529, win 359, options [nop,nop,TS val 33638508 ecr 33638508], length 0
04:51:30.092446  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [.], ack 867, win 359, options [nop,nop,TS val 33638508 ecr 33638508], length 0

04:32:38.264052  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 76: 192.168.0.10.46454 > 127.0.0.1.3306: Flags [S], seq 344014396, win 43690, options [mss 65495,sackOK,TS val 33355550 ecr 0,nop,wscale 7], length 0
04:32:38.264072  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 76: 127.0.0.1.3306 > 127.0.0.1.46454: Flags [S.], seq 1406967667, ack 344014397, win 43690, options [mss 65495,sackOK,TS val 33355550 ecr 33355550,nop,wscale 7], length 0
04:32:38.264086  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 192.168.0.10.46454 > 127.0.0.1.3306: Flags [.], ack 1406967668, win 342, options [nop,nop,TS val 33355550 ecr 33355550], length 0
04:32:38.264337  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 141: 127.0.0.1.3306 > 127.0.0.1.46454: Flags [P.], seq 1:74, ack 1, win 342, options [nop,nop,TS val 33355551 ecr 33355550], length 73
04:32:38.264388  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.3306 > 127.0.0.1.46454: Flags [F.], seq 74, ack 1, win 342, options [nop,nop,TS val 33355551 ecr 33355550], length 0
04:32:38.264450  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 192.168.0.10.46454 > 127.0.0.1.3306: Flags [.], ack 74, win 342, options [nop,nop,TS val 33355551 ecr 33355551], length 0
04:32:38.264488  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 192.168.0.10.46454 > 127.0.0.1.3306: Flags [F.], seq 0, ack 75, win 342, options [nop,nop,TS val 33355551 ecr 33355551], length 0
04:32:38.264506  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.3306 > 127.0.0.1.46454: Flags [.], ack 2, win 342, options [nop,nop,TS val 33355551 ecr 33355551], length 0

因此,我的設置出了問題,我不太確定如何使用 iptables 規則實現穩定的、經過 NAT 的轉發設置。

所以我的問題是:是什麼導致了這個問題,我該如何解決?

謝謝。

我不清楚您是在單宿主機還是雙宿主機上執行此操作。您沒有在iptables規則中指定任何介面,這讓我感到困惑。

在我看來,iptables -t nat -A POSTROUTING -j MASQUERADE規則是你的罪魁禍首。這將導致所有介面上的傳出流量被 SNAT 到介面的 IP 地址。我不認為你想要那個。您應該將該規則上的面向 Internet 的介面指定為-o介面。

引用自:https://serverfault.com/questions/570527