我正在尝试设置一个重定向器,以将发往 (eth0)172.31.14.66 -> 1.1.1.1 的 nat https 流量和发往 (eth1)172.31.14.48 -> 2.2.2.2 的 http 流量进行 nat。
这是我的 iptables 规则:
iptables -i eth0 -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -i eth0 -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 1.1.1.1:443
iptables -i eth1 -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -i eth1 -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 2.2.2.2:443
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -j ACCEPT
iptables -P FORWARD ACCEPT
sysctl net.ipv4.ip_forward=1
第一个重定向 (eth0)172.31.14.66 -> 1.1.1.1 运行良好,但第二个重定向似乎没有发送任何流量。这是我尝试从另一台主机 curl 172.31.14.66 时重定向器上的 tcpdump
root@ip-172-31-13-215:/home/ubuntu# tcpdump -i any "port 443"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:09:06.348756 IP 99.244.96.100.59067 > 172.31.14.48.https: Flags [S], seq 3621687339, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1986088032 ecr 0,sackOK,eol], length 0
16:09:07.352414 IP 99.244.96.100.59067 > 172.31.14.48.https: Flags [S], seq 3621687339, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1986089032 ecr 0,sackOK,eol], length 0
16:09:08.358737 IP 99.244.96.100.59067 > 172.31.14.48.https: Flags [S], seq 3621687339, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1986090033 ecr 0,sackOK,eol], length 0
16:09:09.350781 IP 99.244.96.100.59067 > 172.31.14.48.https: Flags [S], seq 3621687339, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1986091034 ecr 0,sackOK,eol], length 0
16:09:10.355483 IP 99.244.96.100.59067 > 172.31.14.48.https: Flags [S], seq 3621687339, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 1986092034 ecr 0,sackOK,eol], length 0
我还注意到 iptables 规则正在接收 curl 流量
root@ip-172-31-13-215:/home/ubuntu# iptables -vL -t nat -n
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
22 1348 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:2.2.2.2:443
[...SNIP...]
通过调查,我发现将我的默认路由接口从 eth0 更改为 eth1 可以修复我的第二条路由(eth1),但会破坏第一条路由(eth0),有人知道为什么路由表会导致这个问题吗?
顺便问一下,我注意到当我更改默认路由时,我也无法使用 eth0 弹性 IP 通过 ssh 进入我的主机,而必须使用 eth1 弹性 IP 通过 ssh 进入,有人知道为什么也会发生这种情况吗?谢谢!
编辑:这是我的网络信息:
ubuntu@ip-172-31-13-215:~$ ip route
default via 172.31.0.1 dev eth0 proto dhcp src 172.31.13.215 metric 100
172.31.0.0/20 dev eth1 proto kernel scope link src 172.31.14.48
172.31.0.0/20 dev eth0 proto kernel scope link src 172.31.14.66
172.31.0.1 dev eth0 proto dhcp scope link src 172.31.13.215 metric 100
root@ip-172-31-13-215:/home/ubuntu# ip route show table 1000
default via 172.31.0.1 dev eth1 proto static
172.31.5.60 dev eth1 proto static scope link
172.31.14.48 dev eth1 proto static scope link
root@ip-172-31-13-215:/home/ubuntu# ip rule
0: from all lookup local
0: from 172.31.14.48 lookup 1000
0: from 172.31.5.60 lookup 1000
32766: from all lookup main
32767: from all lookup default
root@ip-172-31-13-215:/home/ubuntu# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
link/ether 06:15:21:49:f1:60 brd ff:ff:ff:ff:ff:ff
inet 172.31.14.66/20 brd 172.31.15.255 scope global eth0
valid_lft forever preferred_lft forever
inet 172.31.13.215/20 brd 172.31.15.255 scope global secondary dynamic eth0
valid_lft 3410sec preferred_lft 3410sec
inet6 fe80::415:21ff:fe49:f160/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 06:bf:45:aa:7a:16 brd ff:ff:ff:ff:ff:ff
inet 172.31.14.48/20 brd 172.31.15.255 scope global eth1
valid_lft forever preferred_lft forever
inet 172.31.5.60/20 brd 172.31.15.255 scope global secondary eth1
valid_lft forever preferred_lft forever
inet6 fe80::4bf:45ff:feaa:7a16/64 scope link
valid_lft forever preferred_lft forever