使用 iptables 进行端口转发不起作用

Question 1

我有一个在我的 LAN 上运行的示例，但根据评论，它可能无法解决您的问题。：

来自 192.168.111.122 到 192.168.111.136 的 Web 流量被转发到 192.168.111.1。来自 192.168.111.1 的回复沿相反路径返回 192.168.111.122。后者认为数据包来自 192.168.111.136。

doug@s19:~/iptables/misc$ sudo tcpdump -n -tttt -i br0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
2021-12-19 15:57:47.389745 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [S], seq 1692549099, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
2021-12-19 15:57:47.389760 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [S], seq 1692549099, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
2021-12-19 15:57:47.390055 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [S.], seq 1478028943, ack 1692549100, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-12-19 15:57:47.390062 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [S.], seq 1478028943, ack 1692549100, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-12-19 15:57:47.390301 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [.], ack 1, win 1026, length 0
2021-12-19 15:57:47.390306 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [.], ack 1, win 1026, length 0
2021-12-19 15:57:47.396847 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
2021-12-19 15:57:47.396852 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
2021-12-19 15:57:47.397080 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [.], ack 518, win 501, length 0
2021-12-19 15:57:47.397085 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [.], ack 518, win 501, length 0
2021-12-19 15:57:47.400934 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [P.], seq 1:1629, ack 518, win 501, length 1628
2021-12-19 15:57:47.400941 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [.], seq 1:1461, ack 518, win 501, length 1460
2021-12-19 15:57:47.400942 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [P.], seq 1461:1629, ack 518, win 501, length 168

iptables 规则是通过我的测试计算机上的脚本加载的：

doug@s19:~/iptables/misc$ cat ask1382639
#!/bin/sh
FWVER=0.01
#
# ask1382639 Smythies 2021.12.18 Ver:0.01
#       See here:
#       https://askubuntu.com/questions/1382639
#
#       run as sudo on s19.
#
#       Note: These rules might need to be merged with
#       any existing iptables rules set.

echo "Loading ask1382639 rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Smythies (for testing)

EXTIF="br0"
EXTIP="192.168.111.136"
REDIRECTIP="192.168.111.1"
NETWORK="192.168.111.0/24"
UNIVERSE="0.0.0.0/0"

#
# For the actual servers of the question
#
#EXTIF="UNKNOWN"
#EXTIP="10.8.0.6"
#REDIRECTIP="10.8.0.1"
#NETWORK="10.8.0.0/24" ASSUMED, ACTUALLY UNKNOWN
#UNIVERSE="0.0.0.0/0"


#CRITICAL: Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about Admia's servers.
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# First: redirect port 443 traffic to the other server.
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 443 -j DNAT --to $REDIRECTIP

# Second: The desination needs to know what IP address to reply to.
$IPTABLES  -t nat -A POSTROUTING -p tcp -o $EXTIF --dport 443 -d $REDIRECTIP -j SNAT --to $EXTIP

echo ask1382639 rule set version $FWVER done.

和：

doug@s19:~/iptables/misc$ sudo iptables -t nat -xvnL
Chain PREROUTING (policy ACCEPT 177 packets, 13129 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       6      312 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:192.168.111.1

Chain INPUT (policy ACCEPT 177 packets, 13129 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 3 packets, 252 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       6      312 SNAT       tcp  --  *      br0     0.0.0.0/0            192.168.111.1        tcp dpt:443 to:192.168.111.136

Chain OUTPUT (policy ACCEPT 3 packets, 252 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Answer

我有一个在我的 LAN 上运行的示例，但根据评论，它可能无法解决您的问题。：

来自 192.168.111.122 到 192.168.111.136 的 Web 流量被转发到 192.168.111.1。来自 192.168.111.1 的回复沿相反路径返回 192.168.111.122。后者认为数据包来自 192.168.111.136。

doug@s19:~/iptables/misc$ sudo tcpdump -n -tttt -i br0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
2021-12-19 15:57:47.389745 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [S], seq 1692549099, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
2021-12-19 15:57:47.389760 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [S], seq 1692549099, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
2021-12-19 15:57:47.390055 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [S.], seq 1478028943, ack 1692549100, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-12-19 15:57:47.390062 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [S.], seq 1478028943, ack 1692549100, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-12-19 15:57:47.390301 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [.], ack 1, win 1026, length 0
2021-12-19 15:57:47.390306 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [.], ack 1, win 1026, length 0
2021-12-19 15:57:47.396847 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
2021-12-19 15:57:47.396852 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
2021-12-19 15:57:47.397080 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [.], ack 518, win 501, length 0
2021-12-19 15:57:47.397085 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [.], ack 518, win 501, length 0
2021-12-19 15:57:47.400934 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [P.], seq 1:1629, ack 518, win 501, length 1628
2021-12-19 15:57:47.400941 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [.], seq 1:1461, ack 518, win 501, length 1460
2021-12-19 15:57:47.400942 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [P.], seq 1461:1629, ack 518, win 501, length 168

iptables 规则是通过我的测试计算机上的脚本加载的：

doug@s19:~/iptables/misc$ cat ask1382639
#!/bin/sh
FWVER=0.01
#
# ask1382639 Smythies 2021.12.18 Ver:0.01
#       See here:
#       https://askubuntu.com/questions/1382639
#
#       run as sudo on s19.
#
#       Note: These rules might need to be merged with
#       any existing iptables rules set.

echo "Loading ask1382639 rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Smythies (for testing)

EXTIF="br0"
EXTIP="192.168.111.136"
REDIRECTIP="192.168.111.1"
NETWORK="192.168.111.0/24"
UNIVERSE="0.0.0.0/0"

#
# For the actual servers of the question
#
#EXTIF="UNKNOWN"
#EXTIP="10.8.0.6"
#REDIRECTIP="10.8.0.1"
#NETWORK="10.8.0.0/24" ASSUMED, ACTUALLY UNKNOWN
#UNIVERSE="0.0.0.0/0"


#CRITICAL: Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about Admia's servers.
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# First: redirect port 443 traffic to the other server.
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 443 -j DNAT --to $REDIRECTIP

# Second: The desination needs to know what IP address to reply to.
$IPTABLES  -t nat -A POSTROUTING -p tcp -o $EXTIF --dport 443 -d $REDIRECTIP -j SNAT --to $EXTIP

echo ask1382639 rule set version $FWVER done.

和：

doug@s19:~/iptables/misc$ sudo iptables -t nat -xvnL
Chain PREROUTING (policy ACCEPT 177 packets, 13129 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       6      312 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:192.168.111.1

Chain INPUT (policy ACCEPT 177 packets, 13129 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 3 packets, 252 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       6      312 SNAT       tcp  --  *      br0     0.0.0.0/0            192.168.111.1        tcp dpt:443 to:192.168.111.136

Chain OUTPUT (policy ACCEPT 3 packets, 252 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Question 2

就我而言，路由器服务器（在您的情况下是服务器 2）正在使用不同的 IP 地址传送数据包。（例如以外的其他地址10.8.0.1）。

我找到了 IPtcpdump -i eth0 -p 443并将其替换到 iptables 规则中。

Answer

就我而言，路由器服务器（在您的情况下是服务器 2）正在使用不同的 IP 地址传送数据包。（例如以外的其他地址10.8.0.1）。

我找到了 IPtcpdump -i eth0 -p 443并将其替换到 iptables 规则中。

使用 iptables 进行端口转发不起作用

答案1

答案2

相关内容