无法通过托管在公共子网中的 NAT 连接到托管在 VPC 私有子网中的 Web 服务器

tag-icon tag-icon iptables amazon-web-services web-server nat amazon-vpc
无法通过托管在公共子网中的 NAT 连接到托管在 VPC 私有子网中的 Web 服务器

我已经将我的 android/web 应用程序托管在我的 VPC 的私有子网 (10.0.1.0) 中的 EC2 实例上。此实例上安装了 apache-tomcat,但没有公有 IP。

我的 VPC 的公共子网 (10.0.0.0) 中也有一个 NAT 实例,并为服务器分配了一个公共 IP。

iptables 配置如下:

[ec2-user@ip-10-0-0-21 ~]$ sudo iptables -t nat -L --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  anywhere             anywhere             tcp dpt:webcache to:10.0.1.11:8080
2    DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:10.0.1.11:8080
3    DNAT       tcp  --  anywhere             anywhere             tcp dpt:http to:10.0.1.11:8080
4    DNAT       tcp  --  anywhere             anywhere             tcp dpt:https to:10.0.1.11:8080

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  ip-10-0-0-0.ap-southeast-1.compute.internal/16  anywhere
2    MASQUERADE  all  --  ip-10-0-1-0.ap-southeast-1.compute.internal/24  anywhere
[ec2-user@ip-10-0-0-21 ~]$ sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to XX.XX.XX.XX

尽管进行了这些设置,ERR_CONNECTION_TIMED_OUT当我尝试连接到 NAT 服务器的公共 DNS 时,我还是会收到错误。如果我的连接请求到达 Apache 服务器,我至少应该会得到 404。

我已经通过 NAT 服务器检查了我的 Web 服务器(位于私有子网中)与互联网的连接。当我访问pingwgetgoogle.com 时,我得到了有效的响应。

[ec2-user@ip-10-0-1-11 ~]$ ping google.com
PING google.com (173.194.117.97) 56(84) bytes of data.
64 bytes from sin01s17-in-f1.1e100.net (173.194.117.97): icmp_seq=1 ttl=56 time=3.54 ms
64 bytes from sin01s17-in-f1.1e100.net (173.194.117.97): icmp_seq=2 ttl=56 time=3.57 ms
64 bytes from sin01s17-in-f1.1e100.net (173.194.117.97): icmp_seq=3 ttl=56 time=3.65 ms
64 bytes from sin01s17-in-f1.1e100.net (173.194.117.97): icmp_seq=4 ttl=56 time=3.79 ms
64 bytes from sin01s17-in-f1.1e100.net (173.194.117.97): icmp_seq=5 ttl=56 time=3.61 ms
^C
--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4990ms
rtt min/avg/max/mdev = 3.546/3.637/3.799/0.116 ms
[ec2-user@ip-10-0-1-11 ~]$ wget google.com
--2015-09-02 05:22:01--  http://google.com/
Resolving google.com (google.com)... 173.194.117.96, 173.194.117.97, 173.194.117.98, ...
Connecting to google.com (google.com)|173.194.117.96|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html.1’

index.html.1                                [ <=>                                                                              ]  10.97K  --.-KB/s   in 0.001s

2015-09-02 05:22:02 (12.7 MB/s) - ‘index.html.1’ saved [11230]

有人能指出这个设置有什么问题吗?

附加信息:日志显示,每当我 ping NAT 服务器的公共 IP 时,都会有一些垃圾请求到达我的 Web 服务器。我完全不知道。

10.0.0.21 - - [02/Sep/2015:06:12:41 +0000] "??]7{]?zɳM?˗?9?G?68???l?xW???D?+?/?,?0?????#?'? ??$?(? " 400 -
10.0.0.21 - - [02/Sep/2015:06:12:41 +0000] "????]f???}???Q?ݹ?U}??????A?#?0D?+?/?,?0?????#?'? ??$?(? " 400 -
10.0.0.21 - - [02/Sep/2015:06:12:42 +0000] "???????{}?hA???????
                                                               j?W??P?ߠD?+?/?,?0?????#?'? ??$?(? " 400 -

相关内容