我希望这是一个快速的 iptables 问题。
我们在 iptables 中运行它:
-A PREROUTING -i eth0 -p udp -m udp --dport 57875 -j REDIRECT --to-ports 5060
然后我们还有:
-A INPUT -p udp -m udp --dport 57875 -j ACCEPT
而我们想要的是只允许通过 57875 重定向访问端口 5060,而不是直接通过 5060 访问,但是上面两行并没有实现这一点。
我们怎样才能实现这个目标?
[root@dev1 ~]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
fail2ban-FTP tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 21
fail2ban-apache-auth tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80
fail2ban-SIP all -- 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all -- 0.0.0.0/0 0.0.0.0/0
fail2ban-BadBots tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-SSH tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-recidive all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:57875
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:57875
ACCEPT all -- 192.168.90.0/24 0.0.0.0/0
ACCEPT all -- 192.168.87.0/24 0.0.0.0/0
ACCEPT all -- 192.168.187.0/24 0.0.0.0/0
ACCEPT all -- 192.168.77.0/24 0.0.0.0/0
ACCEPT all -- 199.91.70.160/27 0.0.0.0/0
ACCEPT all -- 108.23.78.98 0.0.0.0/0
ACCEPT tcp -- 100.9.107.47 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 100.9.107.47 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 67.212.84.21 0.0.0.0/0
ACCEPT udp -- 50.22.102.242 0.0.0.0/0
ACCEPT udp -- 50.22.101.14 0.0.0.0/0
ACCEPT udp -- 72.9.149.25 0.0.0.0/0
ACCEPT udp -- 176.9.39.206 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-FTP (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SIP (2 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-apache-auth (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-recidive (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
[root@dev1 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT udp -- anywhere anywhere udp dpt:57875 redir ports 5060
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
答案1
尝试在第一条规则中使用 nat。
iptables -t nat -A PREROUTING -i eth0 -p udp -m udp --dport 57875 -j REDIRECT --to-port 5060
如果再次遇到问题,请运行此命令并发布其中的信息
iptables -L -n
iptables -t nat -L