本地局域网阻止到公共 nat 1:1 ip 的流量

tag-icon tag-icon iptables nat port-forwarding
本地局域网阻止到公共 nat 1:1 ip 的流量

我有以下网络配置:

xxx.xxx.xxx.xxx -> nat 1:1 -> 192.168.0.2 -> 80 port forward -> 192.168.0.10
       ^                           ^                                 ^
       |                           |                                 |
    internet                      VM1                               VM2

当我尝试从公共设备(例如我的手机)访问 xxx.xxx.xxx.xxx:80 时一切正常,因此我从 192.168.0.10:80 获取网页

问题是:当我尝试从局域网客户端(例如,与 VM1 位于同一网络上的 192.168.0.150)访问 xxx.xxx.xxx.xxx:80 时,我无法访问 Web 服务器(192.168.0.10:80),连接超时。

这些是配置:

VM1 whith dev ens32 -> 192.168.0.2
net.ipv4.ip_forward=1
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -t nat -A PREROUTING -p tcp -i ens32 --dport 80  -j DNAT --to-destination 192.168.0.10:80
/sbin/iptables -t nat -A PREROUTING -p tcp -i ens32 --dport 443 -j DNAT --to-destination 192.168.0.10:443
/sbin/iptables -A FORWARD -p tcp -d 192.168.0.10 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p tcp -d 192.168.0.10 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o ens32 -j MASQUERADE

更新:记录了来自客户端 (192.168.0.150) 的请求的 tcpdump 跟踪

16:48:16.227785 IP 192.168.0.150.47391 > 192.168.0.2.https: Flags [S], seq 3088549798, win 65535, options [mss 1460,sackOK,TS val 126143387 ecr 0,nop,wscale 9], length 0
16:48:16.227869 IP 192.168.0.2.47391 > 192.168.0.10.https: Flags [S], seq 3088549798, win 65535, options [mss 1460,sackOK,TS val 126143387 ecr 0,nop,wscale 9], length 0
16:48:16.228268 IP 192.168.0.10.https > 192.168.0.2.47391: Flags [S.], seq 371329525, ack 3088549799, win 28960, options [mss 1460,sackOK,TS val 378079 ecr 126143387,nop,wscale 7], length 0
16:48:16.228296 IP 192.168.0.2.https > 192.168.0.150.47391: Flags [S.], seq 371329525, ack 3088549799, win 28960, options [mss 1460,sackOK,TS val 378079 ecr 126143387,nop,wscale 7], length 0
16:48:16.234087 IP 192.168.0.150.47391 > 192.168.0.2.https: Flags [R], seq 3088549799, win 0, length 0
16:48:16.234113 IP 192.168.0.2.47391 > 192.168.0.10.https: Flags [R], seq 3088549799, win 0, length 0
16:48:16.466921 IP 192.168.0.150.47393 > 192.168.0.2.https: Flags [S], seq 1316556207, win 65535, options [mss 1460,sackOK,TS val 126143412 ecr 0,nop,wscale 9], length 0
16:48:16.466969 IP 192.168.0.2.47393 > 192.168.0.10.https: Flags [S], seq 1316556207, win 65535, options [mss 1460,sackOK,TS val 126143412 ecr 0,nop,wscale 9], length 0
16:48:16.467335 IP 192.168.0.10.https > 192.168.0.2.47393: Flags [S.], seq 1172572926, ack 1316556208, win 28960, options [mss 1460,sackOK,TS val 378138 ecr 126143412,nop,wscale 7], length 0
16:48:16.467360 IP 192.168.0.2.https > 192.168.0.150.47393: Flags [S.], seq 1172572926, ack 1316556208, win 28960, options [mss 1460,sackOK,TS val 378138 ecr 126143412,nop,wscale 7], length 0
16:48:16.469625 IP 192.168.0.150.47393 > 192.168.0.2.https: Flags [R], seq 1316556208, win 0, length 0
16:48:16.469642 IP 192.168.0.2.47393 > 192.168.0.10.https: Flags [R], seq 1316556208, win 0, length 0
16:48:17.211348 IP 192.168.0.150.47391 > 192.168.0.2.https: Flags [S], seq 3088549798, win 65535, options [mss 1460,sackOK,TS val 126143487 ecr 0,nop,wscale 9], length 0
16:48:17.211406 IP 192.168.0.2.47391 > 192.168.0.10.https: Flags [S], seq 3088549798, win 65535, options [mss 1460,sackOK,TS val 126143487 ecr 0,nop,wscale 9], length 0
16:48:17.211783 IP 192.168.0.10.https > 192.168.0.2.47391: Flags [S.], seq 386696842, ack 3088549799, win 28960, options [mss 1460,sackOK,TS val 378324 ecr 126143487,nop,wscale 7], length 0
16:48:17.211807 IP 192.168.0.2.https > 192.168.0.150.47391: Flags [S.], seq 386696842, ack 3088549799, win 28960, options [mss 1460,sackOK,TS val 378324 ecr 126143487,nop,wscale 7], length 0
16:48:17.214283 IP 192.168.0.150.47391 > 192.168.0.2.https: Flags [R], seq 3088549799, win 0, length 0
16:48:17.214301 IP 192.168.0.2.47391 > 192.168.0.10.https: Flags [R], seq 3088549799, win 0, length 0
16:48:17.472667 IP 192.168.0.150.47393 > 192.168.0.2.https: Flags [S], seq 1316556207, win 65535, options [mss 1460,sackOK,TS val 126143512 ecr 0,nop,wscale 9], length 0
16:48:17.472717 IP 192.168.0.2.47393 > 192.168.0.10.https: Flags [S], seq 1316556207, win 65535, options [mss 1460,sackOK,TS val 126143512 ecr 0,nop,wscale 9], length 0
16:48:17.473002 IP 192.168.0.10.https > 192.168.0.2.47393: Flags [S.], seq 1188287718, ack 1316556208, win 28960, options [mss 1460,sackOK,TS val 378390 ecr 126143512,nop,wscale 7], length 0
16:48:17.473017 IP 192.168.0.2.https > 192.168.0.150.47393: Flags [S.], seq 1188287718, ack 1316556208, win 28960, options [mss 1460,sackOK,TS val 378390 ecr 126143512,nop,wscale 7], length 0
16:48:17.476317 IP 192.168.0.150.47393 > 192.168.0.2.https: Flags [R], seq 1316556208, win 0, length 0
16:48:17.476343 IP 192.168.0.2.47393 > 192.168.0.10.https: Flags [R], seq 1316556208, win 0, length 0

相关内容