iptables 转发在暂停或重启后停止工作

tag-icon tag-icon linux networking firewall port-forwarding iptables
iptables 转发在暂停或重启后停止工作

我正在尝试将一台 PC 在端口 16080 上接收到的数据包转发到端口 3389 到另一台通过以太网连接到它的 PC,其中enp1s0是以太网接口,10.42.0.66是连接计算机的 IP。

为了实现这一点,我运行以下命令:

$ sudo iptables -I FORWARD -o enp1s0 -d 10.42.0.66 -j ACCEPT
$ sudo iptables -t nat -I PREROUTING -p tcp --dport 16080 -j DNAT --to 10.42.0.66:3389
$ sudo iptables -t nat -I PREROUTING -p udp --dport 16080 -j DNAT --to 10.42.0.66:3389

然后我用iptables-持久性# iptables-save > /etc/iptables/rules.v4在后续的启动中保留这些规则。

问题是,转发功能不仅在重新启动 PC 后停止工作,甚至在挂起/睡眠后也停止工作。真正令人费解的是规则似乎确实存在 - 当我检查 的输出时iptables-save,它们仍然存在。我只需运行第一个命令即可使转发再次工作。

以下是转发工作时 iptables-save 的输出:

$ sudo iptables-save       
# Generated by iptables-save v1.8.7 on Sat Jun 18 13:10:15 2022
*mangle
:PREROUTING ACCEPT [1258645:1807828971]
:INPUT ACCEPT [1245407:1804789136]
:FORWARD ACCEPT [41:3100]
:OUTPUT ACCEPT [903023:597186031]
:POSTROUTING ACCEPT [904094:597315982]
-A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sat Jun 18 13:10:15 2022
# Generated by iptables-save v1.8.7 on Sat Jun 18 13:10:15 2022
*filter
:INPUT ACCEPT [1245375:1804787332]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [903023:597186031]
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -d 10.42.0.66/32 -o enp1s0 -j ACCEPT
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.66/32 -o enp1s0 -j ACCEPT
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sat Jun 18 13:10:15 2022
# Generated by iptables-save v1.8.7 on Sat Jun 18 13:10:15 2022
*nat
:PREROUTING ACCEPT [21385:4652763]
:INPUT ACCEPT [8170:1614588]
:OUTPUT ACCEPT [37981:2537586]
:POSTROUTING ACCEPT [37624:2475722]
-A PREROUTING -p udp -m udp --dport 16080 -j DNAT --to-destination 10.42.0.66:3389
-A PREROUTING -p tcp -m tcp --dport 16080 -j DNAT --to-destination 10.42.0.66:3389
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
COMMIT
# Completed on Sat Jun 18 13:10:15 2022
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

如果不是的话:

$ sudo iptables-save
# Generated by iptables-save v1.8.7 on Sat Jun 18 12:59:09 2022
*mangle
:PREROUTING ACCEPT [1254586:1806558968]
:INPUT ACCEPT [1241553:1803567261]
:FORWARD ACCEPT [41:3100]
:OUTPUT ACCEPT [899122:596793155]
:POSTROUTING ACCEPT [900181:596921700]
-A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A POSTROUTING -o lxcbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sat Jun 18 12:59:09 2022
# Generated by iptables-save v1.8.7 on Sat Jun 18 12:59:09 2022
*filter
:INPUT ACCEPT [1241521:1803565457]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [899122:596793155]
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i enp1s0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i enp1s0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.66/32 -o enp1s0 -j ACCEPT
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT
-A FORWARD -d 10.42.0.0/24 -o enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.42.0.0/24 -i enp1s0 -j ACCEPT
-A FORWARD -i enp1s0 -o enp1s0 -j ACCEPT
-A FORWARD -o enp1s0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i enp1s0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sat Jun 18 12:59:09 2022
# Generated by iptables-save v1.8.7 on Sat Jun 18 12:59:09 2022
*nat
:PREROUTING ACCEPT [21049:4576369]
:INPUT ACCEPT [8039:1586322]
:OUTPUT ACCEPT [37198:2487067]
:POSTROUTING ACCEPT [36849:2426639]
-A PREROUTING -p udp -m udp --dport 16080 -j DNAT --to-destination 10.42.0.66:3389
-A PREROUTING -p tcp -m tcp --dport 16080 -j DNAT --to-destination 10.42.0.66:3389
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.42.0.0/24 ! -d 10.42.0.0/24 -j MASQUERADE
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
COMMIT
# Completed on Sat Jun 18 12:59:09 2022
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them

相关内容