iptables 端口轉發
iptables是一款好用的系統工具,本文講下iptables 端口轉發。
我首先運行以下script
#filename gw.sh
PATH=$PATH:/usr/sbin:/sbin
echo "1" >/proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
iptables -F INPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -P FORWARD DROP
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 80 -j DNAT --to 10.0.0.2:80
iptables -A FORWARD -p tcp -d 192.168.1.201 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT
然后在外部訪問,沒問題。
然后我改了一下這個script:
#filename gw.sh
PATH=$PATH:/usr/sbin:/sbin
echo "1" >/proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
iptables -F INPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -P FORWARD DROP
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 8000 -j DNAT --to 10.0.0.2:80
iptables -A FORWARD -p tcp -d 192.168.1.201 --dport 8000 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT
#!/bin/sh
PATH=$PATH:/usr/sbin:/sbin
echo "1" >/proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
iptables -F INPUT
iptables -F FORWARD
iptables -F POSTROUTING -t nat
iptables -F PREROUTING -t nat
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING DROP
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 81 -j DNAT --to 10.0.
0.2:80
iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 21 -j DNAT --to 10.0.
0.2:21
iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 21 -j ACCEPT
#p#
看一我的規則:
[root@redhat unixboy]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 10.0.0.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere 10.0.0.2 tcp dpt:http
ACCEPT tcp -- anywhere 10.0.0.2 tcp dpt:ftp
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@redhat unixboy]# /sbin/iptables -L -t nat
Chain PREROUTING (policy DROP)
target prot opt source destination
DNAT tcp -- anywhere 192.168.1.201 tcp dpt:81 to:10.0.0.2:80
DNAT tcp -- anywhere 192.168.1.201 tcp dpt:ftp to:10.0.0.2:21
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 10.0.0.0/24 anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
通過上面的文章描述,我們找到iptables 端口轉發的問題,并解決了他!希望對你們有用!
【編輯推薦】
