这是我目前在服务器上的所有规则:
/usr/sbin/iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 6112 -j DNAT --to 10.0.0.3:6112
/usr/sbin/iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 1513 -j DNAT --to 10.0.0.3:1513
/usr/sbin/iptables -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
/usr/sbin/iptables -A FORWARD -i eth0 -j ACCEPT
/usr/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
/usr/sbin/iptables -A FORWARD -j LOG
/usr/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
我需要一些帮助来满足一些非常基本的需求,我需要允许此服务器中的人们能够通过端口 1513 和 6112 进行连接,以及能够 ping 服务器,而防火墙上不需要进行任何其他外部访问。
eth0是本地网络接口,eth1是外部网络接口,我使用10.0.0.0/255.255.255.0作为我的本地网络。
这些规则是否足以满足我的需要或者我遗漏了什么?
更新:
root@server:~# iptables -L; iptables -t nat -L; iptables -t mangle -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:6112 to:10.0.0.3:6112
DNAT tcp -- anywhere anywhere tcp dpt:fujitsu-dtc to:10.0.0.3:1513
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
答案1
您缺少每个 PREROUTING 命令的第二行。您已更改目标 IP,但 FORWARD 表中没有任何内容可以实际允许流量。
尝试以下额外命令:
/usr/sbin/iptables -A FORWARD -i eth1 -p tcp --dport 6112 -d 10.0.0.3:6112 -j ACCEPT
/usr/sbin/iptables -A FORWARD -i eth1 -p tcp --dport 1513 -d 10.0.0.3:1513 -j ACCEPT