如何将流量从特定端口转发到另一台机器?
+-----------------+ +----------------------+ +------------------------+
| client | | intermediary | | server |
| (windows) | | (debian) | | (Windows) |
| 10.10.1.30-+-----+-10.10.1.1 (eno1) | | |
+-----------------+ | 10.10.2.1 (ens6f3)-+------+-10.10.2.2 (port 3389) |
+----------------------+ +------------------------+
在此测试用例中,我尝试通过 RDP(TCP 端口 3389)从client
到。我尝试在 上server
设置规则,但未能成功:iptables
intermediary
$ sudo sysctl -a
...
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.eno1.forwarding = 0
net.ipv4.conf.ens6f3.forwarding = 0
...
$ sudo sysctl net.ipv4.conf.eno1.forwarding=1
$ sudo iptables -A PREROUTING -t nat -i eno1 -p tcp --dport 3389 -j DNAT --to 10.10.2.2:3389
$ sudo iptables -A FORWARD -p tcp -d 10.10.2.2 --dport 3389 -j ACCEPT
$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- eno1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to 10.10.2.2:3389
我现在正尝试通过 RDP 从 10.10.1.30 连接到 10.10.1.1。我期望登录到 10.10.2.2,但该端口没有响应。
我究竟做错了什么?
我也尝试过:
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo iptables -A FORWARD -i eno1 -o ens6f3 -p tcp --syn --dport 3389 -m conntrack --ctstate NEW -j ACCEPT
$ sudo iptables -A FORWARD -i eno1 -o ens6f3 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -A FORWARD -i ens6f3 -o en01 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT