应答将 IP 重定向到特定端口

tag-icon tag-icon centos iptables nat
应答将 IP 重定向到特定端口

我想制作一个具有几个子域的系统。我使用 DNS 将每个子域设置为 IP 地址。

我在这个问题中使用了随机 IP 地址

165.93.198.34 x.mydomain.com(实际上是165.93.198.220:8080)

165.93.198.38 z.mydomain.com(实际上是 165.93.198.220:81)

165.93.198.44 c.mydomain.com(实际上是 165.93.198.220:443)

165.93.198.220 mydomain.com

使用 iptables,当请求到达 IP 地址时,165.93.198.34我希望它能从165.93.198.220:8080.

iptables -t nat -A PREROUTING -p tcp -d 165.93.198.34  --jump DNAT --to-destination 165.93.198.220:8080

但我无法使预路由工作。

[root@static ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:down
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:webcache
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:81
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination



[root@static ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             165.93.198.34-iprovider.com to:165.93.198.220:8080

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

我究竟做错了什么?

答案1

如果您的目标 IP (165.93.198.220) 是网络中的另一个系统

在链中添加一条ACCEPT规则FORWARD,如下所示:

iptables -A FORWARD -p tcp -d 165.93.198.220 --dport 8080 -j ACCEPT

还要检查 ip 转发是否启用:

sysctl net.ipv4.ip_forward

如果未设置为1,请使用以下命令动态启用它:

sysctl -w net.ipv4.ip_forward=1

或者

echo 1 > /proc/sys/net/ipv4/ip_forward

要使其在重新启动时保持不变,请编辑/etc/sysctl.conf并添加以下行:

net.ipv4.ip_forward = 1

如果您的目标 IP (165.93.198.220) 在本地计算机上

在链中添加一条ACCEPT规则INPUT,如下所示:

iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

相关内容