尝试将本地端口转发到另一个本地端口 7777 -> 55555
# ufw disable
# iptables -t nat -A PREROUTING -p tcp -i enp58s0f1 --dport 7777 -j DNAT --to-destination 192.168.47.5:3000
# iptables -t nat -A POSTROUTING -o enp58s0f1 -j MASQUERADE
# iptables -A FORWARD -i enp58s0f1 -j ACCEPT
# curl -s -I 192.168.47.5:3000 | head -1
HTTP/1.1 302 Found
# curl 192.168.47.5:7777
curl: (7) Failed to connect to 192.168.47.5 port 7777: Connection refused
# cat /proc/sys/net/ipv4/ip_forward
1
# cat /proc/sys/net/ipv4/conf/enp58s0f1/forwarding
1
我也尝试过在 ufw 中进行端口转发,首先重置 ufw 规则,并在 /etc/ufw/before.rules 开头添加以下内容
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 7777 -j REDIRECT --to-port 3000
COMMIT
以下是 iptables-save 的输出
# iptables-save
# Generated by iptables-save v1.6.1
*mangle
:PREROUTING ACCEPT [4543:2482113]
:INPUT ACCEPT [4543:2482113]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4711:804006]
:POSTROUTING ACCEPT [4781:811782]
COMMIT
# Generated by iptables-save v1.6.1
*nat
:PREROUTING ACCEPT [85:23165]
:INPUT ACCEPT [85:23165]
:OUTPUT ACCEPT [183:37649]
:POSTROUTING ACCEPT [80:5380]
-A PREROUTING -i enp58s0f1 -p tcp -m tcp --dport 7777 -j DNAT --to-destination 192.168.47.5:3000
-A POSTROUTING -o enp58s0f1 -j MASQUERADE
COMMIT
# Generated by iptables-save v1.6.1
*filter
:INPUT ACCEPT [2058:1070158]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1937:450137]
-A FORWARD -i enp58s0f1 -j ACCEPT
COMMIT
答案1
iptables REDIRECT 指令是同一台机器端口转发的适当方法:
sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.47.5 --dport 7777 -j REDIRECT --to-port 3000
作为演示和验证示例,我将使用一台位于 192.168.111.122 的计算机,并将端口 7777 重定向到端口 22,我已在该端口上监听 sshd。因此(请注意,我添加了网络接口限定符):
sudo iptables -t nat -A PREROUTING -i enp3s0 -p tcp -d 192.168.111.122 --dport 7777 -j REDIRECT --to-port 22
现在,我使用另一台位于 192.168.111.1 的计算机来检查它(注意:并不是真正尝试 telnet,只是检查它是否可以连接):
doug@DOUG-64:~$ telnet 192.168.111.122 7777
Trying 192.168.111.122...
Connected to 192.168.111.122.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.1p1 Ubuntu-5
Invalid SSH identification string.
Connection closed by foreign host.
doug@DOUG-64:~$
好的,看起来不错,尝试 ssh:
doug@DOUG-64:~$ ssh -p 7777 192.168.111.122
[email protected]'s password:
Welcome to Ubuntu Focal Fossa (development branch) (GNU/Linux 5.5.0-rc6-stock x86_64)
... a bunch deleted ...
Last login: Fri Feb 7 15:32:45 2020 from 192.168.111.1
doug@s18:~$
doug@s18:~$ logout
Connection to 192.168.111.122 closed.
doug@DOUG-64:~$
还可以通过 192.168.111.122 上的 tcpdump(或者 wireshark,如果你愿意)会话在数据包级别检查通信:
doug@s18:~/temp-git-git$ sudo tcpdump -n -nn -tttt -i enp3s0 port 7777
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp3s0, link-type EN10MB (Ethernet), capture size 262144 bytes
2020-02-07 15:37:16.480311 IP 192.168.111.1.45918 > 192.168.111.122.7777: Flags [S], seq 494277163, win 29200, options [mss 1460,sackOK,TS val 349415894 ecr 0,nop,wscale 7], length 0
2020-02-07 15:37:16.480329 IP 192.168.111.122.7777 > 192.168.111.1.45918: Flags [S.], seq 2825406220, ack 494277164, win 65160, options [mss 1460,sackOK,TS val 2718854230 ecr 349415894,nop,wscale 7], length 0
2020-02-07 15:37:16.480600 IP 192.168.111.1.45918 > 192.168.111.122.7777: Flags [.], ack 1, win 229, options [nop,nop,TS val 349415894 ecr 2718854230], length 0
2020-02-07 15:37:16.486525 IP 192.168.111.122.7777 > 192.168.111.1.45918: Flags [P.], seq 1:33, ack 1, win 510, options [nop,nop,TS val 2718854236 ecr 349415894], length 32
2020-02-07 15:37:16.486668 IP 192.168.111.1.45918 > 192.168.111.122.7777: Flags [.], ack 33, win 229, options [nop,nop,TS val 349415896 ecr 2718854236], length 0
2020-02-07 15:37:18.016165 IP 192.168.111.1.45918 > 192.168.111.122.7777: Flags [P.], seq 1:3, ack 33, win 229, options [nop,nop,TS val 349416278 ecr 2718854236], length 2
2020-02-07 15:37:18.016175 IP 192.168.111.122.7777 > 192.168.111.1.45918: Flags [.], ack 3, win 510, options [nop,nop,TS val 2718855766 ecr 349416278], length 0
2020-02-07 15:37:18.016262 IP 192.168.111.122.7777 > 192.168.111.1.45918: Flags [P.], seq 33:67, ack 3, win 510, options [nop,nop,TS val 2718855766 ecr 349416278], length 34
2020-02-07 15:37:18.016408 IP 192.168.111.122.7777 > 192.168.111.1.45918: Flags [FP.], seq 67:69, ack 3, win 510, options [nop,nop,TS val 2718855766 ecr 349416278], length 2
2020-02-07 15:37:18.016428 IP 192.168.111.1.45918 > 192.168.111.122.7777: Flags [.], ack 67, win 229, options [nop,nop,TS val 349416278 ecr 2718855766], length 0
2020-02-07 15:37:18.016589 IP 192.168.111.1.45918 > 192.168.111.122.7777: Flags [F.], seq 3, ack 70, win 229, options [nop,nop,TS val 349416278 ecr 2718855766], length 0
2020-02-07 15:37:18.016600 IP 192.168.111.122.7777 > 192.168.111.1.45918: Flags [.], ack 4, win 510, options [nop,nop,TS val 2718855766 ecr 349416278], length 0
12 packets captured
12 packets received by filter
0 packets dropped by kernel
doug@s18:~/temp-git-git$ sudo iptables -t nat -v -x -n -L
Chain PREROUTING (policy ACCEPT 38 packets, 4409 bytes)
pkts bytes target prot opt in out source destination
4 240 REDIRECT tcp -- enp3s0 * 0.0.0.0/0 192.168.111.122 tcp dpt:7777 redir ports 22
Chain INPUT (policy ACCEPT 40 packets, 4329 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 228 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2 packets, 228 bytes)
pkts bytes target prot opt in out source destination
doug@s18:~/temp-git-git$
数据包计数器非常有用。请注意,PREROUTING 路径在每个连接中只会遍历一次(当我运行上述命令时,我已遍历了 4 次)。
如果您犯了错误并且需要删除规则并重新开始,请执行以下操作:
sudo iptables -t nat -F
清除 nat 表规则。此答案可能需要纳入更大的 iptables 规则集或 UFW 上下文中。
编辑:哦,顺便说一下:
doug@s18:~/temp-git-git$ grep . /proc/sys/net/ipv4/conf/*/forwarding
/proc/sys/net/ipv4/conf/all/forwarding:0
/proc/sys/net/ipv4/conf/default/forwarding:0
/proc/sys/net/ipv4/conf/enp3s0/forwarding:0
/proc/sys/net/ipv4/conf/lo/forwarding:0
doug@s18:~/temp-git-git$ grep . /proc/sys/net/ipv4/ip_forward
0