CentOS 端口转发

CentOS 端口转发

我有以下情况:

Internet ----- Server ------- virtual machine (kvm)
             public ip           192.168.122.12
              x.x.x.x

我需要使虚拟机上的 3333 端口上的服务可从互联网访问。

可以从服务器访问服务 3333。我使用以下命令对其进行了测试:

nc -v -w 5 192.168.122.12 3333;echo $?

我收到 Ncat:已连接到 192.68.122.201:3333

我尝试过这个设置

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 3333 -j DNAT --to 192.168.122.12:3333
iptables -A FORWARD -p tcp -d 192.168.122.12 --dport 3333 -j ACCEPT

但仍然无法通过互联网访问服务。您能帮助我吗?

服务器和虚拟机都可以访问互联网。当我只使用:

socat TCP-LISTEN:3333,fork TCP:192.168.122.12:3333

并在服务器上启用 3333,一切正常。

是否可以使用 iptables 来实现?问题可能出在哪里?

更新 1 我的普通 iptables:

iptables -t nat -L -n -v

Chain PREROUTING (policy ACCEPT 20 packets, 1750 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   21  1828 PREROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   21  1828 PREROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   21  1828 PREROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 240 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   240 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POSTROUTING (policy ACCEPT 4 packets, 240 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       192.168.122.0/24     224.0.0.0/24        
    0     0 RETURN     all  --  *      *       192.168.122.0/24     255.255.255.255     
    5   260 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24     masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24    
    4   240 POSTROUTING_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    4   240 POSTROUTING_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    4   240 POSTROUTING_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 POST_public  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           [goto] 
    4   240 POST_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain POSTROUTING_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    4   240 POST_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    4   240 POST_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    4   240 POST_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain POST_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain POST_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PREROUTING_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   16  1568 PRE_public  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           [goto] 
    5   260 PRE_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain PREROUTING_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PREROUTING_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   21  1828 PRE_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   21  1828 PRE_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   21  1828 PRE_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain PRE_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PRE_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

iptables -L -n -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
 1125  688K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    5   300 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    1   238 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1   238 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1   238 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    1   238 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   45  4548 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24     ctstate RELATED,ESTABLISHED
   52 13611 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0           
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    2   113 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 1049 packets, 1272K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      virbr0  0.0.0.0/0            0.0.0.0/0            udp dpt:68
 1049 1272K OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDI_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 FWDO_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   238 IN_public  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           [goto] 
    0     0 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   238 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1   238 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1   238 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW


Chain IN_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

答案1

编辑文件/etc/sysctl.conf

net.ipv4.ip_forward = 0

重新加载sysctl -p /etc/sysctl.conf

当你访问互联网时,将你的私有 IP 伪装成你的公共 IP(无论哪个接口拥有公共 IP)

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 

将传入请求 Nat 回您的 VM 和端口 - 大概是桥接器或分接设备。

iptables -t nat -A PREROUTING -i virbr0 -p tcp --dport 3333 -j DNAT \
      --to 192.168.122.12:3333

不要把它掉在外面

iptables -A FORWARD -i virbr0 -p tcp --dport 3333 -d 192.168.122.12 -j ACCEPT

相关内容