桥接接口之间的端口转发

tag-icon tag-icon iptables lxc network-bridge port-forwarding ebtables
桥接接口之间的端口转发

因此,我拥有一堆与我的主要以太网设备绑定的桥接接口(em1这都怪 HP)。它们为我在服务器上运行的各种 LXC 容器提供服务,并允许我轻松地从网络上的其他物理设备访问它们。

name    id                  STP   interfaces    IP
br0     8000.989096db8b8a   no    em1           10.10.0.2
                                  veth236T4V    10.10.0.15
                                  veth269GNR    10.10.0.16
                                  vethBYBC0Y    10.10.0.17

这些都从主网络 DHCP(分配静态租约)获取其 IP。

我想将主机(em110.10.0.2、端口 9000、9001)上运行的服务移至第一个 LXC 容器。我已完成此操作,现在可以通过 访问内容10.10.0.15:9000-9001,但网络上的其他所有内容都希望在 上看到它10.10.0.2:9000-9001

传统的端口转发iptables似乎不起作用。我尝试过:

-A PREROUTING -i em1 -p tcp --dport 9000 -j DNAT --to 10.10.0.15:9000
-A PREROUTING -i em1 -p tcp --dport 9001 -j DNAT --to 10.10.0.15:9001

我也曾尝试过br0em1但都没有用。

在凌晨 3 点的搜索中,我发现了很多东西表明我需要,ebtables但我以前从未听说过。一半的问题似乎是大多数人使用lxcbrN带有 LXC 的设备,但我需要外部 IP。我不确定我需要什么。ebtables文档似乎将“端口”一词定义为其他东西。

我已经力不从心了。我再也感觉不到地面,我开始踩水了。有谁能告诉我到底是什么需要在桥接接口之间重定向几个端口吗?

答案1

您可以使用 iptables。下面是建议解决方案的脚本版本。我不知道您可能已经拥有哪些 iptables 规则,因此可能需要进行一些合并工作。

#!/bin/sh
FWVER=0.02
#
# test-oli rule set 2016.01.14 Ver:0.02
#     Having tested this on my test server using port 80,
#     convert for what Oli actually wants (which I can not test).
#
# test-oli rule set 2016.01.14 Ver:0.01
#     Port forward when this computer has one nic and
#     is not a router / gateway.
#     In this case the destination is a guest VM on this
#     host but, with bridged networking and all IP addresses
#     from the main LAN, that should not be relevant.
#
#     This script may conflict with other iptables rules on the
#     host, I don't know. On my test server, clobbering the existing
#     iptables rules is O.K. because I do not use the virbr0 stuff,
#     nor the default virtual network,  anyhow.
#
#     References:
#     http://askubuntu.com/questions/720207/port-forwarding-between-bridged-interfaces
#     http://ubuntuforums.org/showthread.php?t=1855192
#     http://www.linuxquestions.org/questions/linux-networking-3/iptables-forwarding-with-one-nic-80009/
#
#     run as sudo
#
echo "test-oli rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

# Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
# Use br0 instead of eth0. While using eth0 seems to work fine, the packet counters
# don't work, so debugging information is better and more complete using br0.
#
#
INTIF="br0"
INTIP="10.10.0.2"
FORIP="10.10.0.15"
UNIVERSE="0.0.0.0/0"

echo " Internal Interface: $INTIF  Internal IP: $INTIP  Forward IP $FORIP"

# CRITICAL:  Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

# Clearing any previous configuration
#
echo " Clearing any existing rules and setting default policy to ACCEPT.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# First we change the destination of any incoming port 80 traffic
#
$IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF --dport 9000 -j DNAT --to-destination $FORIP:9000
$IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF --dport 9001 -j DNAT --to-destination $FORIP:9001

# And then we do the actual forward
# FORWARD rules would only be needed if the default policy is not ACCEPT
# (Shown here for completeness)
#
$IPTABLES -A FORWARD -p tcp -i $INTIF -d $FORIP --dport 9000 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INTIF -d $FORIP --dport 9001 -j ACCEPT

# Now, we need to change the source address, otherwise the reply packets
# would be sent directly to the client, causing confusion.
$IPTABLES -t nat -A POSTROUTING -o $INTIF -j SNAT --to-source $INTIP

echo "test-oli rule set version $FWVER done."

相关内容