IPtables 规则允许 NAT 设备连接到同一网络中的端口转发服务

IPtables 规则允许 NAT 设备连接到同一网络中的端口转发服务

目前,我正在使用以下 IPtables 设置,但无法弄清楚如何允许从 LAN 到我的公共 IP 上可用的端口转发服务的流量。

情况:

  • ens3:具有一个公共 IPv4 地址的面向公众的网络接口
  • br0:用于连接各个LXC容器的桥接接口。

某些服务(例如 Web 服务器)通过端口转发至连接到桥接接口的容器。

以下工作:

  • 主机到容器的流量
  • 承载流量的容器
  • WAN 端口将来自 LAN 外部的容器流量转发到。
  • 使用 LAN IP 进行容器到容器的通信(例如从 10.10.10.3 ping 10.10.10.2)

这不起作用(问题):

  • 使用 WAN IP 进行容器到容器的流量(例如,访问可用的 HTTP 服务器,该服务器实际上是从203.0.113.4:80端口转发到的10.10.10.210.10.10.3

这是我当前的配置:

IP表

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# ens3 is WAN interface, br0 is LAN interface
# We use SNAT instead of MASQUERADING because it is faster, since it doesn't need to look up the source IP to rewrite to on every request and our public IP is static.
-A POSTROUTING -s 10.10.10.0/24 -o ens3 -j SNAT --to-source 203.0.113.4

# NAT pinhole: HTTP from WAN to LAN
-A PREROUTING -p tcp -m tcp -i ens3 --dport 80 -j DNAT --to-destination 10.10.10.200:80
-A PREROUTING -p tcp -m tcp -i ens3 --dport 443 -j DNAT --to-destination 10.10.10.200:443

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Service rules

# basic global accept rules - ICMP, loopback, traceroute, established all accepted
-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT

# enable traceroute rejections to get sent out
-A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable

# DNS - accept from LAN
-A INPUT -i br0 -p tcp --dport 53 -j ACCEPT
-A INPUT -i br0 -p udp --dport 53 -j ACCEPT

# SSH - accept
-A INPUT -p tcp --dport 22 -j ACCEPT

# DHCP client requests - accept from LAN
-A INPUT -i br0 -p udp --dport 67:68 -j ACCEPT

# drop all other inbound traffic
-A INPUT -j DROP

# Forwarding rules

# forward packets along established/related connections
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# forward from LAN (br0) to WAN (ens3)
-A FORWARD -i br0 -o ens3 -j ACCEPT

# allow traffic from HTTP NAT pinhole
-A FORWARD -p tcp -d 10.10.10.200 --dport 80 -j ACCEPT
-A FORWARD -p tcp -d 10.10.10.200 --dport 443 -j ACCEPT

# drop all other forwarded traffic
-A FORWARD -j DROP

COMMIT

sysctl.conf

net.ipv4.ip_forward=1

/etc/network/interfaces

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

auto lo
iface lo inet loopback

auto ens3
iface ens3 inet static
        address 203.0.113.4
        netmask 255.255.255.0
        gateway 203.0.113.1
        dns-nameservers 127.0.0.1

auto br0
iface br0 inet static
        address  10.10.10.1
        netmask  255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0

我这里缺少哪个 IPTables 规则或网络配置选项?

相关内容