我有 2 台由 VMWARE 创建的 PC
1. PC1(制作iptables路由器):
ens33 's IP: 192.168.1.5/24 (network connection is bridged)
ens37 's IP: 192.168.2.2/24. (network connection is wmnet9)
2. PC2(Web 服务器):
ens33 's IP: 192.168.2.1/24. (network connection is wmnet9)
3.我的IP真实PC:
192.168.1.16/24
如何表示我的真实电脑可以webserver
通过连接到iptables
?
我尝试过:
echo 1 />proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp 192.168.1.5 --dport 80 -j DNAT --to-destination 192.168.2.2:80
iptables -A FORWARD -p tcp -d 192.168.2.2 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -S 192.168.2.2 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d 192.168.2.2 --dport 80 -j ACCEPT
但是我通过谷歌浏览器连接时收到警报无法访问此网站
我的 iptables 规则:
iptables -v -x -n -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9 456 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.2 tcp dpt:80
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.2.2 tcp dpt:80
0 0 ACCEPT tcp -- * * 192.168.2.2 0.0.0.0/0 tcp spt:80
Chain OUTPUT (policy ACCEPT 9 packets, 360 bytes)
pkts bytes target prot opt in out source destination
--
iptables -t nat -v -x -n -L
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9 456 DNAT tcp -- * * 0.0.0.0/0 192.168.168.1.5 tcp dpt:80 to:192.168.2.2:80
Chain INPUT (policy ACCEPT 9 packets, 456 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 594 packets, 38555 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 181 packets, 11845 bytes)
pkts bytes target prot opt in out source destination
413 26710 SNAT all -- * ens33 0.0.0.0/0 0.0.0.0/0 to:192.168.1.5
答案1
您尚未提供返回路径。您需要:
iptables -t nat -A POSTROUTING -o ens33 -j SNAT --to 192.168.1.5
我认为这只是您的 PREROUTING 行中的拼写错误,但无论如何我都会这样做:
iptables -t nat -A PREROUTING -p tcp -i ens33 --dport 80 -j DNAT --to-destination 192.168.2.2:80
如果你的 FORWARD 链的默认策略是 ACCEPT,那么你就不需要这些规则。你也不需要 INPUT 链规则。
答案2
我成功尝试使用命令:
iptables -A PREROUTING -t nat -p tcp -d 192.168.1.5 --dport 80 -j DNAT --to-destination 192.168.2.1
iptables -A POSTROUTING -t nat -o ens37 -j MASQUERADE