我有一台(OpenWRT 驱动的)路由器,它有端口转发 (DNAT) 规则,可将传入的 HTTP 请求转发到我的 LAN 内的专用服务器盒。以下是相关配置位。
地址:
# ip -4 addr show br-lan
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.196.254.1/24 brd 10.196.254.255 scope global br-lan
valid_lft forever preferred_lft forever
# ip -4 addr show eth0.2
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 95.84.164.43/22 brd 95.84.167.255 scope global eth0.2
valid_lft forever preferred_lft forever
DNAT 规则(为简洁起见,OpenWRT 使用自定义链):
# iptables -S -t nat | grep http@stratofortress
-A POSTROUTING -o br-lan -s 10.196.254.0/24 -d 10.196.254.2/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http@stratofortress (reflection)" -j SNAT --to-source 10.196.254.1
-A PREROUTING -i br-lan -s 10.196.254.0/24 -d 95.84.164.43/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http@stratofortress (reflection)" -j DNAT --to-destination 10.196.254.2:80
-A PREROUTING -i eth0.2 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http@stratofortress" -j DNAT --to-destination 10.196.254.2:80
这些规则对于来自互联网和局域网的请求同样有效(这要归功于 OpenWRT 的自动“NAT 反射”支持)。
但是,如果我尝试从路由器本身向其 WAN 地址发出请求,这些规则就不起作用:
# nslookup intelfx.name
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: intelfx.name
Address 1: 95.84.164.43
# curl https://intelfx.name
curl: (7) Failed to connect to intelfx.name port 443: Connection refused
我如何捕获从路由器到路由器 WAN 地址 (95.84.164.43) 的数据包并将它们 DNAT 到 LAN 内的机器 (10.196.254.2)?
答案1
nat OUTPUT 链用于本地生成的数据包:
-A OUTPUT -d 95.84.164.43/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http@stratofortress (reflection)" -j DNAT --to-destination 10.196.254.2:80