使用 iptables 进行端口转发不起作用

使用 iptables 进行端口转发不起作用

我有两台服务器:

服务器 1 的 IP 地址为 10.8.0.1

服务器 2 的 IP 地址为 10.8.0.6

我希望服务器 2 作为托管在服务器 1 上的网站的代理。因此我使用以下命令:

sudo iptables -t nat -A PREROUTING  -p tcp --dport 443 -j DNAT --to-destination 10.8.0.1:443

sudo iptables -t nat -A POSTROUTING -p tcp -d 10.8.0.1 --dport 443 -j SNAT --to-source 10.8.0.6

但是,上述设置不起作用,因为我无法浏览网站。而且,telnet 10.8.0.6 443没有产生输出。

答案1

我有一个在我的 LAN 上运行的示例,但根据评论,它可能无法解决您的问题。:

来自 192.168.111.122 到 192.168.111.136 的 Web 流量被转发到 192.168.111.1。来自 192.168.111.1 的回复沿相反路径返回 192.168.111.122。后者认为数据包来自 192.168.111.136。

doug@s19:~/iptables/misc$ sudo tcpdump -n -tttt -i br0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
2021-12-19 15:57:47.389745 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [S], seq 1692549099, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
2021-12-19 15:57:47.389760 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [S], seq 1692549099, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
2021-12-19 15:57:47.390055 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [S.], seq 1478028943, ack 1692549100, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-12-19 15:57:47.390062 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [S.], seq 1478028943, ack 1692549100, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-12-19 15:57:47.390301 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [.], ack 1, win 1026, length 0
2021-12-19 15:57:47.390306 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [.], ack 1, win 1026, length 0
2021-12-19 15:57:47.396847 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
2021-12-19 15:57:47.396852 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
2021-12-19 15:57:47.397080 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [.], ack 518, win 501, length 0
2021-12-19 15:57:47.397085 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [.], ack 518, win 501, length 0
2021-12-19 15:57:47.400934 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [P.], seq 1:1629, ack 518, win 501, length 1628
2021-12-19 15:57:47.400941 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [.], seq 1:1461, ack 518, win 501, length 1460
2021-12-19 15:57:47.400942 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [P.], seq 1461:1629, ack 518, win 501, length 168

iptables 规则是通过我的测试计算机上的脚本加载的:

doug@s19:~/iptables/misc$ cat ask1382639
#!/bin/sh
FWVER=0.01
#
# ask1382639 Smythies 2021.12.18 Ver:0.01
#       See here:
#       https://askubuntu.com/questions/1382639
#
#       run as sudo on s19.
#
#       Note: These rules might need to be merged with
#       any existing iptables rules set.

echo "Loading ask1382639 rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Smythies (for testing)

EXTIF="br0"
EXTIP="192.168.111.136"
REDIRECTIP="192.168.111.1"
NETWORK="192.168.111.0/24"
UNIVERSE="0.0.0.0/0"

#
# For the actual servers of the question
#
#EXTIF="UNKNOWN"
#EXTIP="10.8.0.6"
#REDIRECTIP="10.8.0.1"
#NETWORK="10.8.0.0/24" ASSUMED, ACTUALLY UNKNOWN
#UNIVERSE="0.0.0.0/0"


#CRITICAL: Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about Admia's servers.
#
echo "  Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# First: redirect port 443 traffic to the other server.
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 443 -j DNAT --to $REDIRECTIP

# Second: The desination needs to know what IP address to reply to.
$IPTABLES  -t nat -A POSTROUTING -p tcp -o $EXTIF --dport 443 -d $REDIRECTIP -j SNAT --to $EXTIP

echo ask1382639 rule set version $FWVER done.

和:

doug@s19:~/iptables/misc$ sudo iptables -t nat -xvnL
Chain PREROUTING (policy ACCEPT 177 packets, 13129 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       6      312 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:192.168.111.1

Chain INPUT (policy ACCEPT 177 packets, 13129 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 3 packets, 252 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       6      312 SNAT       tcp  --  *      br0     0.0.0.0/0            192.168.111.1        tcp dpt:443 to:192.168.111.136

Chain OUTPUT (policy ACCEPT 3 packets, 252 bytes)
    pkts      bytes target     prot opt in     out     source               destination

答案2

就我而言,路由器服务器(在您的情况下是服务器 2)正在使用不同的 IP 地址传送数据包。(例如以外的其他地址10.8.0.1)。

我找到了 IPtcpdump -i eth0 -p 443并将其替换到 iptables 规则中。

相关内容