我想制作一个具有几个子域的系统。我使用 DNS 将每个子域设置为 IP 地址。
我在这个问题中使用了随机 IP 地址
165.93.198.34 x.mydomain.com(实际上是165.93.198.220:8080)
165.93.198.38 z.mydomain.com(实际上是 165.93.198.220:81)
165.93.198.44 c.mydomain.com(实际上是 165.93.198.220:443)
165.93.198.220 mydomain.com
使用 iptables,当请求到达 IP 地址时,165.93.198.34
我希望它能从165.93.198.220:8080
.
iptables -t nat -A PREROUTING -p tcp -d 165.93.198.34 --jump DNAT --to-destination 165.93.198.220:8080
但我无法使预路由工作。
[root@static ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:down
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:webcache
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:81
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@static ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 165.93.198.34-iprovider.com to:165.93.198.220:8080
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
我究竟做错了什么?
答案1
如果您的目标 IP (165.93.198.220) 是网络中的另一个系统
在链中添加一条ACCEPT
规则FORWARD
,如下所示:
iptables -A FORWARD -p tcp -d 165.93.198.220 --dport 8080 -j ACCEPT
还要检查 ip 转发是否启用:
sysctl net.ipv4.ip_forward
如果未设置为1
,请使用以下命令动态启用它:
sysctl -w net.ipv4.ip_forward=1
或者
echo 1 > /proc/sys/net/ipv4/ip_forward
要使其在重新启动时保持不变,请编辑/etc/sysctl.conf
并添加以下行:
net.ipv4.ip_forward = 1
如果您的目标 IP (165.93.198.220) 在本地计算机上
在链中添加一条ACCEPT
规则INPUT
,如下所示:
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT