MASQUERADE 和 IPTABLES 使其起作用

tag-icon tag-icon iptables
MASQUERADE 和 IPTABLES 使其起作用

遇到了 IPTABLES 问题,有两种类型的 IPTABLES 保存文件,一种是我想要使用的 dedi-server,另一种是来自我最近的 Centos 安装。

在最近的一个 MASQUERADE 上运行良好 在 dedi 上不起作用

我对防火墙还只是个菜鸟,因此我发布了两个文件并请大家帮忙纠正 dedi iptables 以使 MASQUERADE 也能正常工作。

谢谢你!

IPTABLES from dedi server
# Generated by iptables-save v1.4.7 on Tue Jun 19 02:09:31 2012
*mangle
:PREROUTING ACCEPT [76062:19805877]
:INPUT ACCEPT [74250:19703779]
:FORWARD ACCEPT [1811:101749]
:OUTPUT ACCEPT [74061:18596265]
:POSTROUTING ACCEPT [74061:18596265]
COMMIT
# Completed on Tue Jun 19 02:09:31 2012
# Generated by iptables-save v1.4.7 on Tue Jun 19 02:09:31 2012
*nat
:PREROUTING ACCEPT [450:24602]
:POSTROUTING ACCEPT [46:2576]
:OUTPUT ACCEPT [154:9003]
-A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Jun 19 02:09:31 2012
# Generated by iptables-save v1.4.7 on Tue Jun 19 02:09:31 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:ASL-ACTIVE-RESPONSE - [0:0]
:ASL-BLACKLIST - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset 
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 12443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 11443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 11444 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8447 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8880 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 106 -j ACCEPT 
-A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 3306 -j DROP 
-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 9008 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT 
-A INPUT -p udp -m udp --dport 137 -j ACCEPT 
-A INPUT -p udp -m udp --dport 138 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 139 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 445 -j ACCEPT 
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -p udp -m udp --dport 9522 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 9522 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 4487 -j ACCEPT 
-A INPUT -p udp -j ACCEPT 
-A INPUT -p tcp -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT 
-A INPUT -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset 
-A FORWARD -m state --state INVALID -j DROP 
-A FORWARD -i lo -o lo -j ACCEPT 
-A FORWARD -j DROP 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset 
-A OUTPUT -m state --state INVALID -j DROP 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -j ACCEPT 
-A ASL-ACTIVE-RESPONSE -j DROP 
-A ASL-BLACKLIST -j DROP 
COMMIT
# Completed on Tue Jun 19 02:09:31 2012

IPTABLES from recent install
# Generated by iptables-save v1.4.7 on Tue Jun 19 11:27:53 2012
*mangle
:PREROUTING ACCEPT [132014870:94154517348]
:INPUT ACCEPT [32724511:17221418389]
:FORWARD ACCEPT [99177664:76852711851]
:OUTPUT ACCEPT [20020311:7695154264]
:POSTROUTING ACCEPT [119214834:84553729574]
COMMIT
# Completed on Tue Jun 19 11:27:53 2012
# Generated by iptables-save v1.4.7 on Tue Jun 19 11:27:53 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [20020284:7695152280]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -i eth1 -j ACCEPT 
-A INPUT -i eth0 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 4487 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9522 -j ACCEPT 
-A INPUT -p udp -m state --state NEW -m udp --dport 9522 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT 
-A FORWARD -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT 
-A FORWARD -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT 
-A FORWARD -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT 
-A FORWARD -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT 
-A FORWARD -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT 
-A FORWARD -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT 
-A FORWARD -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A FORWARD -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT 
-A FORWARD -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT 
-A FORWARD -p udp -m state --state NEW -m udp --dport 21 -j ACCEPT 
-A FORWARD -p tcp -m state --state NEW -m tcp --dport 4487 -j ACCEPT 
-A FORWARD -p tcp -m state --state NEW -m tcp --dport 9522 -j ACCEPT 
-A FORWARD -p udp -m state --state NEW -m udp --dport 9522 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -p icmp -j ACCEPT 
-A FORWARD -i lo -j ACCEPT 
-A FORWARD -i eth1 -j ACCEPT 
-A FORWARD -i eth0 -j ACCEPT 
-A FORWARD -o eth0 -j ACCEPT 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Tue Jun 19 11:27:53 2012
# Generated by iptables-save v1.4.7 on Tue Jun 19 11:27:53 2012
*nat
:PREROUTING ACCEPT [1974169:150131862]
:POSTROUTING ACCEPT [163057:11741154]
:OUTPUT ACCEPT [1599021:106159155]
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Tue Jun 19 11:27:53 2012

答案1

如果cat /proc/sys/net/ipv4/ip_forward没有输出,则说明 sysctrl.conf 中的规则未得到应用,这可能是发行版处理方式的不同所致。要确保启用了 ip 转发,请将以下内容添加到 /etc/rc.local 文件中:

sysctl -w net.ipv4.ip_forward=1

或者添加(到同一个文件):

echo 1 > /proc/sys/net/ipv4/ip_forward

或者如果您通过 bash 脚本设置 iptables,您可以弹出其中的一行(这可能会更好)。

相关内容