我知道对此有很多疑问,但我仍然在努力让它发挥作用。
我有一个防火墙,它有 3 个外部 IP。(为了安全起见,IP 已被随机更改)
eth0 Link encap:Ethernet HWaddr 50:46:5d:64:ed:e4
inet addr:51.215.232.147 Bcast:51.215.232.159 Mask:255.255.255.240
inet6 addr: fe80::5246:5dff:fe64:ede4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:70219084 errors:0 dropped:17443 overruns:0 frame:0
TX packets:63956103 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:51508818511 (51.5 GB) TX bytes:27933240304 (27.9 GB)
eth0:1 Link encap:Ethernet HWaddr 50:46:5d:64:ed:e4
inet addr:51.215.232.148 Bcast:51.215.232.159 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0:2 Link encap:Ethernet HWaddr 50:46:5d:64:ed:e4
inet addr:51.215.232.150 Bcast:51.215.232.159 Mask:255.255.255.240
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
我有这些简单的规则:
# Generated by iptables-save v1.4.10 on Sat Mar 3 14:48:42 2012
*filter
:INPUT ACCEPT [13766:4986720]
:FORWARD ACCEPT [992:122980]
:OUTPUT ACCEPT [11894:5582822]
-A FORWARD -s 172.16.0.0/16 -o eth0 -j ACCEPT
-A FORWARD -d 172.16.0.0/16 -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Mar 3 14:48:42 2012
# Generated by iptables-save v1.4.10 on Sat Mar 3 14:48:42 2012
*nat
:PREROUTING ACCEPT [77:8206]
:INPUT ACCEPT [48:6367]
:OUTPUT ACCEPT [55:3300]
:POSTROUTING ACCEPT [55:3300]
-A POSTROUTING -s 172.16.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.10.0.0/16 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.1.0.0/16 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Mar 3 14:48:42 2012
所以我想将所有内容从 51.215.232.150 转发到内部 IP 172.16.5.218。
所以我认为这会起作用:
iptables -t nat -I PREROUTING -p tcp -d 51.215.232.150 -j DNAT --to 172.16.5.218
但可惜没有。
提前致谢。爱德华
答案1
通常我会说你需要一个相应的 FORWARD 规则来真正允许流量通过 FILTER 表:
iptables -A FORWARD -p tcp -d 172.16.5.218 -j ACCEPT
但是您对 FORWARD 表的策略已经是 ACCEPT,并且没有 REJECT 或 DROP 规则,因此它应该可以通过。
尝试添加 TRACE 规则来查看数据包去向:
iptables -t raw -I PREROUTING -p tcp -d 51.215.232.150 -j TRACE
另外,您是如何测试的?您能看到流量实际到达盒子吗?
tcpdump -lnn -i eth0 host 51.215.232.150