我想通过鱿鱼代理重定向 LAN 网络中的流量,但我在iptables规则方面遇到一些问题。
当我使用以下规则时:
# iptables -I FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.196:3128
我收到以下错误:
x_tables: ip_tables: DNAT target: only valid in nat table, not filter
我尝试过使用PREROUTING链,但我的 iptables 中没有这样的内容:
# iptables -I PREROUTING -s 192.168.1.0/255.255.255.0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.196:3128
iptables: No chain/target/match by that name.
我使用的是 iptables 版本v.1.4.10
# iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
prerouting_rule all -- anywhere anywhere
zone_lan_prerouting all -- anywhere anywhere
zone_wan_prerouting all -- anywhere anywhere
我的全部iptables -nLv
root@OpenWrt:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
776 93902 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3231 164K syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
7098 429K input_rule all -- * * 0.0.0.0/0 0.0.0.0/0
7096 429K input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 MAC XX:XX:XX:XX:XX:XX udp spt:22509
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 MAC XX:XX:XX:XX:XX:XX tcp spts:59000:65399
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 MAC XX:XX:XX:XX:XX:XX udp spts:49950:65399
8271 3071K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
451 44484 forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0
451 44484 forward all -- * * 0.0.0.0/0 0.0.0.0/0
5 276 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7408 581K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
206 13814 output_rule all -- * * 0.0.0.0/0 0.0.0.0/0
206 13814 output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain forward (1 references)
pkts bytes target prot opt in out source destination
446 44208 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_forward all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain forwarding_lan (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan (1 references)
pkts bytes target prot opt in out source destination
Chain input (1 references)
pkts bytes target prot opt in out source destination
515 43070 zone_lan all -- br-lan * 0.0.0.0/0 0.0.0.0/0
6560 385K zone_wan all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain input_lan (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan (1 references)
pkts bytes target prot opt in out source destination
Chain output (1 references)
pkts bytes target prot opt in out source destination
206 13814 zone_lan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
203 13301 zone_wan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (5 references)
pkts bytes target prot opt in out source destination
3249 166K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
3257 198K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
3231 164K RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan (1 references)
pkts bytes target prot opt in out source destination
515 43070 input_lan all -- * * 0.0.0.0/0 0.0.0.0/0
515 43070 zone_lan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
3 513 ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0
515 43070 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-lan 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- br-lan * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * br-lan 0.0.0.0/0 0.0.0.0/0
5 272 reject all -- br-lan * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
446 44208 zone_wan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
5 272 forwarding_lan all -- * * 0.0.0.0/0 0.0.0.0/0
5 272 zone_lan_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan (1 references)
pkts bytes target prot opt in out source destination
64 21010 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
6496 364K input_wan all -- * * 0.0.0.0/0 0.0.0.0/0
6496 364K zone_wan_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
644 57237 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_REJECT (2 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * eth1 0.0.0.0/0 0.0.0.0/0
6496 364K reject all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wan all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
答案1
您需要指定规则应进入nat表中,此外 DNAT 命令需要进入 PREROUTING 链,并且需要小心不要生成循环。
iptables -t nat -I PREROUTING -i br-lan -s ! 192.168.1.196 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.196:3128
默认表是filter表。
不要忘记,您还需要 MASQUERADE/SNAT 来重写源地址:
iptables -t nat -I POSTROUTING -p tcp --dport 80 -j MASQUERADE
本指南提供更多选项和解释。