我有一个网关+Web 服务器盒,带有多个外部接口,用于为多个 SSL 站点提供服务。我使用简单的 iptables 脚本作为防火墙。
默认传出接口是 eth0 (81.20.146.231)。我需要让从内部地址 172.16.1.2 发起的连接通过 eth0:2 路由出去,这样外界才能看到来自 81.20.146.227 的连接。
root@gateway:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:b5:30:22
inet addr:81.20.146.231 Bcast:81.20.146.255 Mask:255.255.255.224
inet6 addr: fe80::250:56ff:feb5:3022/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24106762 errors:0 dropped:0 overruns:0 frame:0
TX packets:34661833 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4700635137 (4.7 GB) TX bytes:32948653469 (32.9 GB)
eth0:1 Link encap:Ethernet HWaddr 00:50:56:b5:30:22
inet addr:81.20.146.238 Bcast:81.20.146.255 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0:2 Link encap:Ethernet HWaddr 00:50:56:b5:30:22
inet addr:81.20.146.227 Bcast:81.20.146.255 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth1 Link encap:Ethernet HWaddr 00:50:56:b5:24:5c
inet addr:172.16.1.1 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:feb5:245c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:34158142 errors:0 dropped:0 overruns:0 frame:0
TX packets:22922477 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:32020841479 (32.0 GB) TX bytes:3309207778 (3.3 GB)
...
答案1
如果我理解正确的话,这应该可以做到这一点,并且会影响从盒子到172.16.1.2
via 的出站流量81.20.146.227
:
route add -host 172.16.1.2 gw 81.20.146.227
如果这不是你想要的,那么请解释一下你想要实现的目标。如果你172.16.1.2
想回答那么81.20.146.227
事情就更加复杂了。
答案2
iptables -t nat -I POSTROUTING -s 172.16.1.2 -j SNAT --to-source 81.20.146.227