具有多个接口的 Iptables DNAT

tag-icon tag-icon iptables
具有多个接口的 Iptables DNAT

我有两台机器:

MachineDev
ens5: 10.41.12.63 (the default net device)
ens8: 10.41.10.111

 MachineProxy
ens5: 10.40.9.106 (the default net device)
ens6: 10.40.2.114

我想用代理来和一些 IPMachineProxy之间建立一个 TCP (仅仅是一个例子)。MachineDev3.117.113.6:443

以下是我设置的 iptablesMachineProxy

sudo iptables -I PREROUTING -t nat -p tcp --dport 8250 -j DNAT --to 3.117.113.6:443
sudo iptables -I POSTROUTING -t nat -p tcp -d 3.117.113.6 --dport 443 -j MASQUERADE
sudo iptables -I FORWARD -t filter -j ACCEPT

(这些规则位于链的顶部,因此将首先匹配)

问题:我可以将 DNAT 代理与MachinDev ens5和一起使用MachineProxy ens5 8250,一切正常。但我无法与MachinDev ens8和建立简单的 tcp 连接MachineProxy ens6 8250。为什么以及如何?

MachinDev ens5并且MachineProxy ens5位于一个 AWS 子网中,MachinDev ens8并且MachineProxy ens6位于另一个 AWS 子网中。

下面是我尝试解决的一些日志,首先我添加一条规则:

iptables -A PREROUTING -t raw -i ens6 -p tcp -m tcp -s 10.41.10.111/20  -j TRACE

这就是系统中的所有登录信息:

Aug  2 12:03:06 ip-10-40-9-106 kernel: [ 4750.945947] TRACE: raw:PREROUTING:policy:3 IN=ens6 OUT= MAC=06:35:e3:6c:6d:b9:06:b5:d6:be:37:d1:08:00 SRC=10.41.10.111 DST=10.40.2.114 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57725 DF PROTO=TCP SPT=37888 DPT=8250 SEQ=3375071032 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080A395228250000000001030307)
Aug  2 12:03:06 ip-10-40-9-106 kernel: [ 4750.945975] TRACE: nat:PREROUTING:rule:2 IN=ens6 OUT= MAC=06:35:e3:6c:6d:b9:06:b5:d6:be:37:d1:08:00 SRC=10.41.10.111 DST=10.40.2.114 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57725 DF PROTO=TCP SPT=37888 DPT=8250 SEQ=3375071032 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080A395228250000000001030307)
Aug  2 12:03:06 ip-10-40-9-106 kernel: [ 4750.945984] TRACE: filter:FORWARD:policy:1 IN=ens6 OUT=ens5 MAC=06:35:e3:6c:6d:b9:06:b5:d6:be:37:d1:08:00 SRC=10.41.10.111 DST=3.117.113.6 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57725 DF PROTO=TCP SPT=37888 DPT=443 SEQ=3375071032 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080A395228250000000001030307)
Aug  2 12:03:06 ip-10-40-9-106 kernel: [ 4750.945991] TRACE: nat:POSTROUTING:rule:2 IN=ens6 OUT=ens5 MAC=06:35:e3:6c:6d:b9:06:b5:d6:be:37:d1:08:00 SRC=10.41.10.111 DST=3.117.113.6 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57725 DF PROTO=TCP SPT=37888 DPT=443 SEQ=3375071032 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080A395228250000000001030307)
Aug  2 12:03:07 ip-10-40-9-106 kernel: [ 4751.975233] TRACE: raw:PREROUTING:policy:3 IN=ens6 OUT= MAC=06:35:e3:6c:6d:b9:06:b5:d6:be:37:d1:08:00 SRC=10.41.10.111 DST=10.40.2.114 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=57726 DF PROTO=TCP SPT=37888 DPT=8250 SEQ=3375071032 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080A39522C2A0000000001030307)
Aug  2 12:03:07 ip-10-40-9-106 kernel: [ 4751.975253] TRACE: filter:FORWARD:policy:1 IN=ens6 OUT=ens5 MAC=06:35:e3:6c:6d:b9:06:b5:d6:be:37:d1:08:00 SRC=10.41.10.111 DST=3.117.113.6 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57726 DF PROTO=TCP SPT=37888 DPT=443 SEQ=3375071032 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B40402080A39522C2A0000000001030307)

相关内容