在“服务器 A”上,我有一个在端口 1445 上运行的服务。“服务器 B”可以通过以下规则在端口 445 上连接到“服务器 A”:
iptables -t nat -A PREROUTING -d www.kunde.de -p tcp -m tcp --dport 445 -j REDIRECT --to-ports 1445
这对于在“服务器 A”上发起的连接(即本地连接)不起作用。我该怎么办?
答案1
iptables -t nat -A OUTPUT -d www.kunde.de -p tcp -m tcp --dport 445 -j REDIRECT --to-ports 1445
因为本地发起的数据包通过 OUTPUT,而不是通过 PREROUTING。
答案2
如果您使用 lxc 或其他虚拟化技术,您可以将所有流量从端口 445 重定向到容器的 1455。
服务器A本地的请求不会通过PREROUTING,原因前面已经说过了,本地流量不会访问nat table,但是如果你之前用过DNAT,它只对到服务器A的外部流量起作用,REDIRECT只对端口转发起作用,不能用作DNAT
答案3
你最好阅读一些手册和文档。
无论如何简短的链条描述:
* “PREROUTING”: Packets will enter this chain before a routing decision is made.
* “INPUT”: Packet is going to be locally delivered. (N.B.: It does not have anything to do with processes having a socket open. Local delivery is controlled by the “local-delivery” routing table: `ip route show table local`.)
* “FORWARD”: All packets that have been routed and were not for local delivery will traverse this chain.
* “OUTPUT”: Packets sent from the machine itself will be visiting this chain.
* “POSTROUTING”: Routing decision has been made. Packets enter this chain just before handing them off to the hardware.
请看这里:
