我尝试设置 IPCOP 路由器,但无法从 LAN 访问 WAN,而从 WAN 访问 LAN 则工作正常。示例:
WAN IP from IPCOP 192.168.1.130/26
WAN IP aliase from IPCOP 192.168.1.131 ... 190 /26
WAN IP from Gateway for IPCOP 192.168.1.129/26
LAN IP from IPCOP 10.1.1.1/24
当我登录 IPCOP 时,我可以访问 WAN,在 LAN 端的客户端上,我可以 ping 10.1.1.1 和 192.168.1.130,但无法访问 192.168.1.129,但从 IPCOP 可以访问。
#route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.128 0.0.0.0 255.255.255.192 U 0 0 0 eth1
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.1.129 0.0.0.0 UG 0 0 0 eth1
iptables 目录
# iptables -L -n -v
Chain BADTCP (2 references)
pkts bytes target prot opt in out source destination
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
3558 180K NEWNOTSYN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
Chain CUSTOMFORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain CUSTOMINPUT (1 references)
pkts bytes target prot opt in out source destination
Chain CUSTOMOUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain DHCPBLUEINPUT (1 references)
pkts bytes target prot opt in out source destination
Chain DMZHOLES (0 references)
pkts bytes target prot opt in out source destination
Chain GUIINPUT (1 references)
pkts bytes target prot opt in out source destination
52 2654 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
Chain INPUT (policy DROP 3216 packets, 183K bytes)
pkts bytes target prot opt in out source destination
22827 2000K ipac~o all -- * * 0.0.0.0/0 0.0.0.0/0
22829 2002K BADTCP all -- * * 0.0.0.0/0 0.0.0.0/0
22573 1991K CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
22573 1991K GUIINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
14580 962K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7941 1026K IPSECVIRTUAL all -- * * 0.0.0.0/0 0.0.0.0/0
7941 1026K OPENSSLVIRTUAL all -- * * 0.0.0.0/0 0.0.0.0/0
11 721 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 state NEW
0 0 DROP all -- * * 0.0.0.0/0 127.0.0.0/8 state NEW
4685 841K ACCEPT !icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
3245 184K DHCPBLUEINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
3245 184K IPSECPHYSICAL all -- * * 0.0.0.0/0 0.0.0.0/0
3245 184K OPENSSLPHYSICAL all -- * * 0.0.0.0/0 0.0.0.0/0
3228 183K WIRELESSINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
3245 184K REDINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
3228 183K XTACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
729 47962 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `INPUT '
Chain FORWARD (policy DROP 373 packets, 23367 bytes)
pkts bytes target prot opt in out source destination
5526K 2592M ipac~fi all -- * * 0.0.0.0/0 0.0.0.0/0
5526K 2592M ipac~fo all -- * * 0.0.0.0/0 0.0.0.0/0
5526K 2592M BADTCP all -- * * 0.0.0.0/0 0.0.0.0/0
23140 1201K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
5522K 2592M CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
2720K 2151M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2802K 441M IPSECVIRTUAL all -- * * 0.0.0.0/0 0.0.0.0/0
2802K 441M OPENSSLVIRTUAL all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 state NEW
0 0 DROP all -- * * 0.0.0.0/0 127.0.0.0/8 state NEW
2478K 359M ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
325K 82M WIRELESSFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
325K 82M REDFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
325K 82M PORTFWACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
287 19179 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `OUTPUT '
Chain IPSECPHYSICAL (1 references)
pkts bytes target prot opt in out source destination
Chain IPSECVIRTUAL (2 references)
pkts bytes target prot opt in out source destination
Chain LOG_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG_REJECT (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain NEWNOTSYN (1 references)
pkts bytes target prot opt in out source destination
2927 143K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `NEW not SYN? '
3558 180K DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OPENSSLPHYSICAL (1 references)
pkts bytes target prot opt in out source destination
Chain OPENSSLVIRTUAL (2 references)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 23244 packets, 11M bytes)
pkts bytes target prot opt in out source destination
23240 11M ipac~i all -- * * 0.0.0.0/0 0.0.0.0/0
23244 11M CUSTOMOUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain PORTFWACCESS (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 10.1.1.6 tcp dpt:5071
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 10.1.1.6 udp dpts:6000:10000
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 10.1.1.6 tcp dpt:4430
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 10.1.1.6 tcp dpt:4433
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 10.1.1.173 tcp dpt:443
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 10.1.1.173 udp dpt:623
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 10.1.1.182 tcp dpt:3389
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 10.1.1.182 tcp dpt:3389
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 10.1.1.182 tcp dpt:3389
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 10.1.1.182 tcp dpt:3389
(somethin else)
Chain PSCAN (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `TCP Scan? '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `UDP Scan? '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `ICMP Scan? '
0 0 LOG all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `FRAG Scan? '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain REDFORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain REDINPUT (1 references)
pkts bytes target prot opt in out source destination
Chain WIRELESSFORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain WIRELESSINPUT (1 references)
pkts bytes target prot opt in out source destination
Chain XTACCESS (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- eth1 * 212.zz.xx.xy 192.168.1.130 tcp dpt:445
0 0 ACCEPT tcp -- eth1 * 62.zz.xx.xy 192.168.1.130 tcp dpt:445
0 0 ACCEPT tcp -- eth1 * 88.zz.xx.xy 192.168.1.130 tcp dpt:445
1 60 ACCEPT tcp -- eth1 * 80.zz.xx.xy 192.168.1.130 tcp dpt:222
1 60 ACCEPT tcp -- eth1 * 212.zz.xx.xy 192.168.1.130 tcp dpt:222
0 0 ACCEPT tcp -- eth1 * 87.zz.xx.xy 192.168.1.130 tcp dpt:445
0 0 ACCEPT tcp -- eth1 * 87.zz.xx.xy 192.168.1.130 tcp dpt:222
27 1620 ACCEPT tcp -- eth1 * 80.zz.xx.xy 192.168.1.130 tcp dpt:445
Chain ipac~fi (1 references)
pkts bytes target prot opt in out source destination
21846 14M all -- eth0 * 0.0.0.0/0 0.0.0.0/0
5511 1324K all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain ipac~fo (1 references)
pkts bytes target prot opt in out source destination
15836 10M all -- * eth0 0.0.0.0/0 0.0.0.0/0
11521 5209K all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain ipac~i (1 references)
pkts bytes target prot opt in out source destination
20 2345 all -- * eth0 0.0.0.0/0 0.0.0.0/0
29 2640 all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain ipac~o (1 references)
pkts bytes target prot opt in out source destination
39 5686 all -- eth0 * 0.0.0.0/0 0.0.0.0/0
46 3751 all -- eth1 * 0.0.0.0/0 0.0.0.0/0
和 NAT
# iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 63218 packets, 5849K bytes)
pkts bytes target prot opt in out source destination
34800 3007K CUSTOMPREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
34800 3007K SQUID all -- * * 0.0.0.0/0 0.0.0.0/0
34800 3007K PORTFW all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 12692 packets, 740K bytes)
pkts bytes target prot opt in out source destination
26033 2434K CUSTOMPOSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0
26033 2434K REDNAT all -- * * 0.0.0.0/0 0.0.0.0/0
214 11128 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x1 to:10.1.1.1
0 0 SNAT all -- * eth1 10.1.1.6 0.0.0.0/0 to:192.168.1.184
0 0 SNAT all -- * eth1 10.1.1.190 0.0.0.0/0 to:192.168.1.180
19137 2022K SNAT all -- * eth1 10.1.1.0/24 0.0.0.0/0 to:213.83.2.14
Chain OUTPUT (policy ACCEPT 1934 packets, 136K bytes)
pkts bytes target prot opt in out source destination
Chain CUSTOMPOSTROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain CUSTOMPREROUTING (1 references)
pkts bytes target prot opt in out source destination
Chain PORTFW (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.134 tcp dpt:25000 to:10.1.1.134:25000
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.135 tcp dpt:25000 to:10.1.1.135:25000
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.133 tcp dpt:5900 to:10.1.1.133:5900
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.134 tcp dpt:5900 to:10.1.1.134:5900
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.135 tcp dpt:5900 to:10.1.1.135:5900
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.133 tcp dpt:25000 to:10.1.1.133:25000
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.133 tcp dpt:12489 to:10.1.1.133:12489
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.134 tcp dpt:12489 to:10.1.1.134:12489
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.135 tcp dpt:12489 to:10.1.1.135:12489
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.190 tcp dpt:5900 to:10.1.1.192:5900
3 144 DNAT tcp -- * * 0.0.0.0/0 192.168.1.134 tcp dpt:443 to:10.1.1.134:443
3 144 DNAT tcp -- * * 0.0.0.0/0 192.168.1.163 tcp dpt:443 to:10.1.1.163:443
0 0 DNAT udp -- * * 0.0.0.0/0 192.168.1.134 udp dpt:123 to:10.1.1.134:123
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.134 tcp dpt:123 to:10.1.1.134:123
3 144 DNAT tcp -- * * 0.0.0.0/0 192.168.1.170 tcp dpt:443 to:10.1.1.170:443
0 0 DNAT udp -- * * 0.0.0.0/0 192.168.1.135 udp dpt:123 to:10.1.1.135:123
0 0 DNAT udp -- * * 0.0.0.0/0 192.168.1.133 udp dpt:123 to:10.1.1.133:123
11 628 DNAT tcp -- * * 0.0.0.0/0 192.168.1.150 tcp dpt:80 to:10.1.1.150:80
1 52 DNAT tcp -- * * 0.0.0.0/0 192.168.1.150 tcp dpt:443 to:10.1.1.150:443
3 1309 DNAT udp -- * * 0.0.0.0/0 192.168.1.150 udp dpts:1024:65535 to:10.1.1.150:1024-65535
71 3064 DNAT tcp -- * * 0.0.0.0/0 192.168.1.150 tcp dpts:1024:65535 to:10.1.1.150:1024-65535
2 120 DNAT tcp -- * * 0.0.0.0/0 192.168.1.134 tcp dpt:22 to:10.1.1.134:22
3 144 DNAT tcp -- * * 0.0.0.0/0 192.168.1.164 tcp dpt:443 to:10.1.1.164:443
0 0 DNAT udp -- * * 0.0.0.0/0 192.168.1.150 udp dpts:135:139 to:10.1.1.150:135-139
2 96 DNAT tcp -- * * 0.0.0.0/0 192.168.1.150 tcp dpt:139 to:10.1.1.150:139
3 144 DNAT tcp -- * * 0.0.0.0/0 192.168.1.165 tcp dpt:443 to:10.1.1.165:443
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.135 tcp dpt:5666 to:10.1.1.135:5666
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.133 tcp dpt:5666 to:10.1.1.133:5666
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.134 tcp dpt:5666 to:10.1.1.134:5666
3 967 DNAT udp -- * * 0.0.0.0/0 192.168.1.140 udp dpts:1024:65535 to:10.1.1.10:1024-65535
5250 302K DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:80 to:10.1.1.150:80
74 3256 DNAT tcp -- * * 0.0.0.0/0 192.168.1.131 tcp dpts:1024:65535 to:10.1.1.101:1024-65535
2 870 DNAT udp -- * * 0.0.0.0/0 192.168.1.131 udp dpts:1024:65535 to:10.1.1.101:1024-65535
78 3492 DNAT tcp -- * * 0.0.0.0/0 192.168.1.132 tcp dpts:1024:65535 to:10.1.1.102:1024-65535
3 1275 DNAT udp -- * * 0.0.0.0/0 192.168.1.132 udp dpts:1024:65535 to:10.1.1.102:1024-65535
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.180 tcp dpt:22 to:10.1.1.190:22
0 0 DNAT udp -- * * 0.0.0.0/0 192.168.1.180 udp dpt:22 to:10.1.1.190:22
11 628 DNAT tcp -- * * 0.0.0.0/0 192.168.1.141 tcp dpt:80 to:10.1.1.150:80
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:21 to:10.1.1.10:21
3 144 DNAT tcp -- * * 0.0.0.0/0 192.168.1.161 tcp dpt:443 to:10.1.1.172:443
4 188 DNAT tcp -- * * 0.0.0.0/0 192.168.1.180 tcp dpt:80 to:10.1.1.190:80
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.180 tcp dpt:21 to:10.1.1.190:21
5 200 DNAT tcp -- * * 0.0.0.0/0 192.168.1.180 tcp dpt:3306 to:10.1.1.190:3306
5 212 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:3389 to:10.1.1.10:3389
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:5900 to:10.1.1.10:5900
1 60 DNAT tcp -- * * 0.0.0.0/0 192.168.1.181 tcp dpt:22 to:10.1.1.191:22
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:25000 to:10.1.1.10:25000
2 96 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:139 to:10.1.1.10:139
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:514 to:10.1.1.10:514
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:25 to:10.1.1.10:25
9 440 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:445 to:10.1.1.10:445
5 240 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpts:81:138 to:10.1.1.10:81-138
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:8051 to:10.1.1.10:8051
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:8161 to:10.1.1.10:8161
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:61616 to:10.1.1.10:61616
3 144 DNAT tcp -- * * 0.0.0.0/0 192.168.1.171 tcp dpt:443 to:10.1.1.181:443
38 1848 DNAT tcp -- * * 0.0.0.0/0 192.168.1.141 tcp dpt:443 to:10.1.1.150:444
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:5666 to:10.1.1.10:5666
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.139 tcp dpt:5666 to:10.1.1.110:5666
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:12489 to:10.1.1.10:12489
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.139 tcp dpt:12489 to:10.1.1.110:12489
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.139 tcp dpt:5900 to:10.1.1.110:5900
301 15184 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:1433 to:10.1.1.10:1433
2 120 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:22 to:10.1.1.10:22
93 4840 DNAT tcp -- * * 0.0.0.0/0 192.168.1.140 tcp dpt:443 to:10.1.1.150:443
3 144 DNAT tcp -- * * 0.0.0.0/0 192.168.1.172 tcp dpt:443 to:10.1.1.180:443
3 1314 DNAT udp -- * * 0.0.0.0/0 192.168.1.183 udp dpt:5060 to:10.1.1.5:5060
0 0 DNAT udp -- * * 0.0.0.0/0 192.168.1.183 udp dpts:10000:65000 to:10.1.1.5:10000-65000
2 120 DNAT tcp -- * * 0.0.0.0/0 192.168.1.139 tcp dpt:22 to:10.1.1.110:22
4 160 DNAT tcp -- * * 0.0.0.0/0 192.168.1.139 tcp dpt:3389 to:10.1.1.110:3389
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.184 tcp dpt:5071 to:10.1.1.6:5071
0 0 DNAT udp -- * * 0.0.0.0/0 192.168.1.184 udp dpts:6000:10000 to:10.1.1.6:6000-10000
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.184 tcp dpt:4430 to:10.1.1.6:4430
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.184 tcp dpt:4433 to:10.1.1.6:4433
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.180 tcp dpts:27000:29000 to:10.1.1.190:27000-29000
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.184 tcp dpt:8888 to:10.1.1.6:8888
3 144 DNAT tcp -- * * 0.0.0.0/0 192.168.1.162 tcp dpt:443 to:10.1.1.173:443
0 0 DNAT udp -- * * 0.0.0.0/0 192.168.1.162 udp dpt:623 to:10.1.1.173:623
4 160 DNAT tcp -- * * 0.0.0.0/0 192.168.1.142 tcp dpt:3389 to:10.1.1.182:3389
4 160 DNAT tcp -- * * 0.0.0.0/0 192.168.1.146 tcp dpt:3389 to:10.1.1.182:3389
3 144 DNAT tcp -- * * 0.0.0.0/0 192.168.1.173 tcp dpt:443 to:10.1.1.221:443
3 144 DNAT tcp -- * * 0.0.0.0/0 192.168.1.160 tcp dpt:443 to:10.1.1.210:443
7 352 DNAT tcp -- * * 0.0.0.0/0 192.168.1.138 tcp dpt:3389 to:10.1.1.108:3389
5 212 DNAT tcp -- * * 0.0.0.0/0 192.168.1.137 tcp dpt:3389 to:10.1.1.107:3389
4 160 DNAT tcp -- * * 0.0.0.0/0 192.168.1.136 tcp dpt:3389 to:10.1.1.106:3389
3 144 DNAT tcp -- * * 0.0.0.0/0 192.168.1.168 tcp dpt:443 to:10.1.1.218:443
3 144 DNAT tcp -- * * 0.0.0.0/0 192.168.1.167 tcp dpt:443 to:10.1.1.217:443
3 144 DNAT tcp -- * * 0.0.0.0/0 192.168.1.166 tcp dpt:443 to:10.1.1.216:443
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.136 tcp dpt:5900 to:10.1.1.106:5900
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.137 tcp dpt:5900 to:10.1.1.107:5900
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.138 tcp dpt:5900 to:10.1.1.108:5900
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.150 tcp dpt:873 to:10.1.1.150:873
2 120 DNAT tcp -- * * 0.0.0.0/0 192.168.1.150 tcp dpt:22 to:10.1.1.150:22
46 1912 DNAT tcp -- * * 0.0.0.0/0 192.168.1.146 tcp dpt:1433 to:10.1.1.182:1433
4 160 DNAT tcp -- * * 0.0.0.0/0 192.168.1.181 tcp dpt:3389 to:10.1.1.191:3389
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.166 tcp dpt:23 to:10.1.1.216:23
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.168 tcp dpt:23 to:10.1.1.218:23
Chain REDNAT (1 references)
pkts bytes target prot opt in out source destination
Chain SQUID (1 references)
pkts bytes target prot opt in out source destination
知道我的配置有什么问题吗?
答案1
r在您的 NAT 配置中,我看不到MASQUERADE
目标。
我没有 IPCop 配置经验,而且我使用 iptables 配置 NAT 已经有一段时间了,但是您可以在 shell 中尝试这些行吗?
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
还检查是否
cat /proc/sys/net/ipv4/ip_forward
返回1
。如果没有,则执行
echo "1" > /proc/sys/net/ipv4/ip_forward
如果这些命令执行后它起作用了,你就必须检查你的 IPCop 配置以了解如何启用它们。