iptables DNAT 端口转发到 LAN 上的另一台机器

tag-icon tag-icon ubuntu iptables nat port-forwarding ufw
iptables DNAT 端口转发到 LAN 上的另一台机器

我正在尝试实现 iptables 转发规则以便内部重定向通过特定端口的数据包。

我的机器正在运行以下发行版Ubuntu 服务器 12.04.3,包含 UFW 和所有最新更新。

到目前为止,我已经能够建立一个部分工作的设置,如下所示:

iptables -A PREROUTING -t nat -p tcp --dport 40591 -j DNAT --to 192.168.0.100:40591
iptables -A ufw-user-forward -p tcp -d 192.168.0.100 --dport 40591 -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -A ufw-user-forward -m state --state RELATED,ESTABLISHED -j ACCEPT

如图所示,目的地接收者是192.168.0.100和港口40591

然而,不久之后问题出现了,我注意到我的 apache2 服务输出了大量错误;我的 PHP 脚本无法再通过以下方式连接到我的数据库:127.0.0.1,因为连接据称是从其 LAN 地址发起的(192.168.0.10))。

为了确认问题的根源,我尝试过:

  1. 斯特拉斯-我的 PHP 脚本,但除了证实我已经知道的事情(即连接在本地发起并神奇地转移到服务器的本地地址(192.168.0.10))
  2. tcpdump使用以下命令在端口 3306 上tcpdump -e -i any -n -s0 tcp port 3306

tcpdump

(添加规则)

04:51:30.043660  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 76: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [S], seq 1373736824, win 43690, options [mss 65495,sackOK,TS val 33638495 ecr 0,nop,wscale 7], length 0
04:51:30.043679  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 76: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [S.], seq 3532787939, ack 1373736825, win 43690, options [mss 65495,sackOK,TS val 33638495 ecr 33638495,nop,wscale 7], length 0
04:51:30.043692  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [.], ack 1, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 0
04:51:30.043935  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 163: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 1:96, ack 1, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 95
04:51:30.043992  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [.], ack 96, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 0
04:51:30.044044  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 173: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 1:106, ack 96, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 105
04:51:30.044077  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [.], ack 106, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 0
04:51:30.044152  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 79: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 96:107, ack 106, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 11
04:51:30.044240  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 115: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 106:153, ack 107, win 342, options [nop,nop,TS val 33638495 ecr 33638495], length 47
04:51:30.044560  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 413: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 107:452, ack 153, win 342, options [nop,nop,TS val 33638496 ecr 33638495], length 345
04:51:30.052507  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 204: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 153:289, ack 452, win 350, options [nop,nop,TS val 33638498 ecr 33638496], length 136
04:51:30.052907  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 471: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 452:855, ack 289, win 350, options [nop,nop,TS val 33638498 ecr 33638498], length 403
04:51:30.053042  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 302: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 289:523, ack 855, win 359, options [nop,nop,TS val 33638498 ecr 33638498], length 234
04:51:30.092217  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 79: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [P.], seq 855:866, ack 523, win 359, options [nop,nop,TS val 33638507 ecr 33638498], length 11
04:51:30.092377  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 73: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [P.], seq 523:528, ack 866, win 359, options [nop,nop,TS val 33638508 ecr 33638507], length 5
04:51:30.092404  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [F.], seq 528, ack 866, win 359, options [nop,nop,TS val 33638508 ecr 33638507], length 0
04:51:30.092427  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.3306 > 127.0.0.1.46461: Flags [F.], seq 866, ack 529, win 359, options [nop,nop,TS val 33638508 ecr 33638508], length 0
04:51:30.092446  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.46461 > 127.0.0.1.3306: Flags [.], ack 867, win 359, options [nop,nop,TS val 33638508 ecr 33638508], length 0


04:32:38.264052  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 76: 192.168.0.10.46454 > 127.0.0.1.3306: Flags [S], seq 344014396, win 43690, options [mss 65495,sackOK,TS val 33355550 ecr 0,nop,wscale 7], length 0
04:32:38.264072  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 76: 127.0.0.1.3306 > 127.0.0.1.46454: Flags [S.], seq 1406967667, ack 344014397, win 43690, options [mss 65495,sackOK,TS val 33355550 ecr 33355550,nop,wscale 7], length 0
04:32:38.264086  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 192.168.0.10.46454 > 127.0.0.1.3306: Flags [.], ack 1406967668, win 342, options [nop,nop,TS val 33355550 ecr 33355550], length 0
04:32:38.264337  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 141: 127.0.0.1.3306 > 127.0.0.1.46454: Flags [P.], seq 1:74, ack 1, win 342, options [nop,nop,TS val 33355551 ecr 33355550], length 73
04:32:38.264388  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.3306 > 127.0.0.1.46454: Flags [F.], seq 74, ack 1, win 342, options [nop,nop,TS val 33355551 ecr 33355550], length 0
04:32:38.264450  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 192.168.0.10.46454 > 127.0.0.1.3306: Flags [.], ack 74, win 342, options [nop,nop,TS val 33355551 ecr 33355551], length 0
04:32:38.264488  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 192.168.0.10.46454 > 127.0.0.1.3306: Flags [F.], seq 0, ack 75, win 342, options [nop,nop,TS val 33355551 ecr 33355551], length 0
04:32:38.264506  In 00:00:00:00:00:00 ethertype IPv4 (0x0800), length 68: 127.0.0.1.3306 > 127.0.0.1.46454: Flags [.], ack 2, win 342, options [nop,nop,TS val 33355551 ecr 33355551], length 0

因此,我的设置变得混乱,并且我不太确定如何使用 iptables 规则实现稳定的 NAT 转发设置。

所以我的问题是:是什么导致了这个问题以及我该如何解决它?

谢谢。

答案1

我不清楚您是在单宿主机还是双宿主机上执行此操作。您没有在规则中指定任何接口,iptables这让我很困惑。

在我看来,该iptables -t nat -A POSTROUTING -j MASQUERADE规则是罪魁祸首。这将导致所有接口上的传出流量被 SNAT 到接口的 IP 地址。我认为你不希望这样。你应该在该规则上将面向 Internet 的接口指定为接口-o

相关内容