Ubuntu
Ubuntu 作為帶有 iptables 的 NAT 網關
我正在嘗試將 Ubuntu 14.04 配置為充當私有網路和公共網路之間的 NAT 網關。
- 公共介面->
eth0 (178.x.x.x)
- 私有介面->
eth0:0 (192.168.206.190/17)
我嘗試了許多
iptables
規則組合,但我無法讓流量路由出去。我已經確認網關可以看到網際網路,私網的主機可以看到網關,並且預設網關設置正確。
net.ipv4.ip_forward=1
設置在sysctl
.我的
iptables
規則如下。我的iptables
經驗很少,所以很可能我錯過了一些東西。# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *security :INPUT ACCEPT [215:14912] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [133:16208] COMMIT # Completed on Thu Apr 21 12:38:44 2016 # Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *raw :PREROUTING ACCEPT [215:14912] :OUTPUT ACCEPT [133:16208] COMMIT # Completed on Thu Apr 21 12:38:44 2016 # Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *nat :PREROUTING ACCEPT [3:132] :INPUT ACCEPT [3:132] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Thu Apr 21 12:38:44 2016 # Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *mangle :PREROUTING ACCEPT [215:14912] :INPUT ACCEPT [215:14912] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [133:16208] :POSTROUTING ACCEPT [133:16208] COMMIT # Completed on Thu Apr 21 12:38:44 2016 # Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *filter :INPUT ACCEPT [46:3296] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [28:3484] -A FORWARD -i eth0:0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth0:0 -j ACCEPT COMMIT # Completed on Thu Apr 21 12:38:44 2016
iptables -L -v
Chain INPUT (policy ACCEPT 15 packets, 1044 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0:0 eth0 anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0:0 anywhere anywhere Chain OUTPUT (policy ACCEPT 10 packets, 1016 bytes) pkts bytes target prot opt in out source destination
這是專用網路上主機的配置:
netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default nat 0.0.0.0 UG 0 0 0 eth0 192.168.128.0 * 255.255.128.0 U 0 0 0 eth0
ping ’nat’ 確認主機可以看到 ’nat’:
ping nat PING nat (192.168.206.190) 56(84) bytes of data. 64 bytes from nat (192.168.206.190): icmp_seq=1 ttl=64 time=0.359 ms
8.8.8.8 的 ping 顯示沒有流量路由:
ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ^C --- 8.8.8.8 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms
提供商 (Linode) 在管理程序/網路級別按 IP 地址過濾流量,因此具有公共 IP 地址的流量根本不會穿過專用網路。我現在更改了提供程序,並且 NAT 它工作得很好。
我認為問題出在這條規則上
-A FORWARD -i eth0:0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
您必須更改介面的位置
-A FORWARD -i eth0 -o eth0:0 -m state --state RELATED,ESTABLISHED -j ACCEPT