Ubuntu

Ubuntu 作為帶有 iptables 的 NAT 網關

  • April 28, 2016

我正在嘗試將 Ubuntu 14.04 配置為充當私有網路和公共網路之間的 NAT 網關。

  • 公共介面->eth0 (178.x.x.x)
  • 私有介面->eth0:0 (192.168.206.190/17)

我嘗試了許多iptables規則組合,但我無法讓流量路由出去。我已經確認網關可以看到網際網路,私網的主機可以看到網關,並且預設網關設置正確。

net.ipv4.ip_forward=1設置在sysctl.

我的iptables規則如下。我的iptables經驗很少,所以很可能我錯過了一些東西。

# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*security
:INPUT ACCEPT [215:14912]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [133:16208]
COMMIT
# Completed on Thu Apr 21 12:38:44 2016
# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*raw
:PREROUTING ACCEPT [215:14912]
:OUTPUT ACCEPT [133:16208]
COMMIT
# Completed on Thu Apr 21 12:38:44 2016
# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*nat
:PREROUTING ACCEPT [3:132]
:INPUT ACCEPT [3:132]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Apr 21 12:38:44 2016
# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*mangle
:PREROUTING ACCEPT [215:14912]
:INPUT ACCEPT [215:14912]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [133:16208]
:POSTROUTING ACCEPT [133:16208]
COMMIT
# Completed on Thu Apr 21 12:38:44 2016
# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*filter
:INPUT ACCEPT [46:3296]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28:3484]
-A FORWARD -i eth0:0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth0:0 -j ACCEPT
COMMIT
# Completed on Thu Apr 21 12:38:44 2016

iptables -L -v

Chain INPUT (policy ACCEPT 15 packets, 1044 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     all  --  eth0:0 eth0    anywhere             anywhere             state RELATED,ESTABLISHED
   0     0 ACCEPT     all  --  eth0   eth0:0  anywhere             anywhere

Chain OUTPUT (policy ACCEPT 10 packets, 1016 bytes)
pkts bytes target     prot opt in     out     source               destination

這是專用網路上主機的配置:

netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         nat             0.0.0.0         UG        0 0          0 eth0
192.168.128.0   *               255.255.128.0   U         0 0          0 eth0

ping ’nat’ 確認主機可以看到 ’nat’:

ping nat
PING nat (192.168.206.190) 56(84) bytes of data.
64 bytes from nat (192.168.206.190): icmp_seq=1 ttl=64 time=0.359 ms

8.8.8.8 的 ping 顯示沒有流量路由:

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

提供商 (Linode) 在管理程序/網路級別按 IP 地址過濾流量,因此具有公共 IP 地址的流量根本不會穿過專用網路。我現在更改了提供程序,並且 NAT 它工作得很好。

我認為問題出在這條規則上

-A FORWARD -i eth0:0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

您必須更改介面的位置

-A FORWARD -i eth0 -o eth0:0 -m state --state RELATED,ESTABLISHED -j ACCEPT

引用自:https://serverfault.com/questions/771980