我有一台运行 CentOS 的专用服务器,它有一个公共 IP(例如 1.2.3.4)。通过 virt-manager,我添加了一个虚拟机,也运行 CentOS。
它们通过虚拟网络连接:
- 主机位于 192.168.100.1
- 访客位于 192.168.100.2
我的目标是在 Guest 上设置一个可通过 Host 的公共 IP 访问的 TeamSpeak 服务器。
浏览论坛后,我最终得出了以下规则:
iptables -t nat -A PREROUTING -p udp --dport 9987 -j DNAT --to 192.168.100.2:9987
iptables -I FORWARD -d 192.168.100.2 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 9987 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 30033 -j DNAT --to 192.168.100.2:30033
iptables -I FORWARD -d 192.168.100.2 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 30033 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 30033 -j DNAT --to 192.168.100.2:30033
iptables -I FORWARD -d 192.168.100.2 -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 30033 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 10011 -j DNAT --to 192.168.100.2:10011
iptables -I FORWARD -d 192.168.100.2 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 10011 -j ACCEPT
不幸的是,当我尝试使用 TeamSpeak 连接时没有得到任何回应。
您能启发我吗?
- - - - - - - - - - - - - - - - - - 编辑 - - - - - - - - - - - - - - - - - -
在两台机器上运行“tcpdump -i eth0 -n udp port 9987”,我可以看到转发的数据包。
六、/etc/sysctl.conf
net.ipv4.ip_forward = 1
netstat -an|grep -w 9987
udp 0 0 0.0.0.0:9987 0.0.0.0:*
LOG 全部 -- 任何地方 任何地方 限制:平均 10/秒 突发 5 LOG 级别 警告
Jun 21 04:17:07 sd-xxxxx kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:c4:7a:08:xx:xx:xx:xx SRC=62.xx.xx.52 DST=62.xx.xx.255 LEN=49 TOS=0x00 PREC=0x00 TTL=64 ID=45280 DF PROTO=UDP SPT=47579 DPT=32414 LEN=29
Jun 21 04:17:09 sd-xxxxx kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:0c:c4:7a:09:xx:xx:xx:xx SRC=62.xx.xx.188 DST=255.255.255.255 LEN=201 TOS=0x00 PREC=0x00 TTL=64 ID=65 DF PROTO=UDP SPT=55996 DPT=1900 LEN=181
我发现 iptables -L 的 FORWARD 块中对端口 9987 的规则的描述方式不同
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.100.2 state NEW,RELATED,ESTABLISHED tcp dpt:10011
ACCEPT udp -- anywhere 192.168.100.2 state NEW,RELATED,ESTABLISHED udp dpt:30033
ACCEPT tcp -- anywhere 192.168.100.2 state NEW,RELATED,ESTABLISHED tcp dpt:30033
ACCEPT udp -- anywhere 192.168.100.2 state NEW,RELATED,ESTABLISHED udp dpt:dsm-scm-target
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
在主机和客户机上添加以下规则时均未记录
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP