我有一个 Linux 路由器,从 WAN 到 LAN 的端口转发工作正常。但如果请求来自 LAN IP 到 WAN IP,它就不起作用
br0 interface for LAN (10.0.0.1/24)
eth1 interface for WAN (192.168.137.54)
rule to port forward from 67 to 10.0.0.165:22
iptables -A PREROUTING -t nat -p tcp --dport 67 -d 192.168.137.54 -j DNAT --to 10.0.0.165:22
iptables -A FORWARD -i eth1 -d 10.0.0.165 -p tcp --dport 22 -j ACCEPT
iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 1445 packets, 212K bytes)
pkts bytes target prot opt in out source destination
0 0 MINIUPNPD all -- eth1 * 0.0.0.0/0 192.168.137.54
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0 192.168.137.54 icmp type 8
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.137.54 tcp dpt:8080 to:192.168.137.54:80
0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.137.54 tcp dpt:67 to:10.0.0.165:22
Chain INPUT (policy ACCEPT 810 packets, 56282 bytes)
Chain OUTPUT (policy ACCEPT 2252 packets, 168K bytes)
Chain POSTROUTING (policy ACCEPT 2239 packets, 167K bytes)
pkts bytes target prot opt in out source destination
12 809 MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain MINIUPNPD (1 references)
iptables -nvL
Chain PREROUTING (policy ACCEPT 8806 packets, 872K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- eth1 * 0.0.0.0/0 192.168.137.54 tcp dpt:80
Chain INPUT (policy DROP 96 packets, 45780 bytes)
pkts bytes target prot opt in out source destination
159 15343 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 192.168.137.54 tcp dpt:80
0 0 DROP udp -- eth1 * 0.0.0.0/0 192.168.137.54 udp dpt:1900
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10012
0 0 ACCEPT icmp -- eth1 * 0.0.0.0/0 192.168.137.54 icmp type 8
0 0 ACCEPT 2 -- eth1 * 0.0.0.0/0 0.0.0.0/0
35 1694 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:1701
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1723
0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 224.0.0.0/4 udp
0 0 ACCEPT 114 -- eth1 * 0.0.0.0/0 224.0.0.0/4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
56 4256 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 10.0.0.165 tcp dpt:22
0 0 ACCEPT udp -- eth1 br0 0.0.0.0/0 0.0.0.0/0 udp dpt:500
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 224.0.0.0/4 udp
0 0 ACCEPT esp -- eth1 br0 0.0.0.0/0 0.0.0.0/0
58 4408 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 MINIUPNPD all -- eth1 !eth1 0.0.0.0/0 0.0.0.0/0
我认为问题出在返回路径上,wireshark 向我展示了:
1 0.000000000 10.0.0.129 192.168.137.54 TCP 74 47388 → 67 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=1102391743 TSecr=0 WS=128
2 0.004186605 10.0.0.165 10.0.0.129 TCP 74 22 → 47388 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=3263068689 TSecr=1102391743 WS=128
我如何将答案(来自 10.0.0.165:22)转发到正确的端口(67)?