Ubuntu路由器转发端口

Question 1

我还没有测试过，但我会尝试这样的事情：

iptables -t nat -A PREROUTING --protocol tcp --destination EXTIP --destination-port 80 -j DNAT --to-destination SERVERIP

其他端口也类似。这可能有帮助吗？

Answer

我还没有测试过，但我会尝试这样的事情：

iptables -t nat -A PREROUTING --protocol tcp --destination EXTIP --destination-port 80 -j DNAT --to-destination SERVERIP

其他端口也类似。这可能有帮助吗？

Question 2

这听起来像是一组相对简单的规则。

允许环回上的任何内容
允许出站请求的“另一半”中的任何内容
允许任何内容流出（从路由器到 INT、路由器到 EXT、或 INT 到 EXT）
允许来自 INT 的端口 22（从您的解释推断）
允许来自 EXT 的端口 80 进入，并将其转发到内部服务器
允许来自 EXT 的端口 443 进入，并将其转发到内部服务器
允许来自 EXT 的端口 32400 进入，并将其转发到内部服务器

这是我的建议。未经测试，因为我现在没有可用的两个接口虚拟机。

# Definitions
INTIF=eth1             # Internal interface
EXTIF=eth0             # External interface
SERVERIP=192.168.1.12  # Internal webserver address

# Prepare to wipe the ruleset, so default to allowing everything
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Erase the rulesets
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING

# Allow anything on loopback
iptables -i lo -j ACCEPT

# Allow anything in that is the "other half" of an outbound request
iptables -A INPUT -m state --state ESTABLISHED,RELATED

# Allow anything out (from router to INT, router to EXT, or INT to EXT)
iptables -A OUTPUT -j ACCEPT

# Allow port 22 in from INT (inferred from your explanation)
# Strictly, this is only required if you apply additional restrictions
# in the next rule, but I'm going to leave it here anyway
iptables -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT

# Allow everything through from INT
# This allows internal access to the router too. You could add some extra
# rules here that disallow access to both the router's own IP addresses
iptables -A INPUT -i $INTIF -j ACCEPT

# Allow port 80 in from EXT, and forward it on to the internal server
# Allow port 443 in from EXT, and forward it on to the internal server
# Allow port 32400 in from EXT, and forward it on to the internal server
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT --to-destination $SERVERIP
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 443 -j DNAT --to-destination $SERVERIP
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 32400 -j DNAT --to-destination $SERVERIP

# Set the default action to discard all traffic
iptables -P INPUT DENY
iptables -P OUTPUT DENY

# Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward

Answer

这听起来像是一组相对简单的规则。

允许环回上的任何内容
允许出站请求的“另一半”中的任何内容
允许任何内容流出（从路由器到 INT、路由器到 EXT、或 INT 到 EXT）
允许来自 INT 的端口 22（从您的解释推断）
允许来自 EXT 的端口 80 进入，并将其转发到内部服务器
允许来自 EXT 的端口 443 进入，并将其转发到内部服务器
允许来自 EXT 的端口 32400 进入，并将其转发到内部服务器

这是我的建议。未经测试，因为我现在没有可用的两个接口虚拟机。

# Definitions
INTIF=eth1             # Internal interface
EXTIF=eth0             # External interface
SERVERIP=192.168.1.12  # Internal webserver address

# Prepare to wipe the ruleset, so default to allowing everything
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Erase the rulesets
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING

# Allow anything on loopback
iptables -i lo -j ACCEPT

# Allow anything in that is the "other half" of an outbound request
iptables -A INPUT -m state --state ESTABLISHED,RELATED

# Allow anything out (from router to INT, router to EXT, or INT to EXT)
iptables -A OUTPUT -j ACCEPT

# Allow port 22 in from INT (inferred from your explanation)
# Strictly, this is only required if you apply additional restrictions
# in the next rule, but I'm going to leave it here anyway
iptables -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT

# Allow everything through from INT
# This allows internal access to the router too. You could add some extra
# rules here that disallow access to both the router's own IP addresses
iptables -A INPUT -i $INTIF -j ACCEPT

# Allow port 80 in from EXT, and forward it on to the internal server
# Allow port 443 in from EXT, and forward it on to the internal server
# Allow port 32400 in from EXT, and forward it on to the internal server
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT --to-destination $SERVERIP
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 443 -j DNAT --to-destination $SERVERIP
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 32400 -j DNAT --to-destination $SERVERIP

# Set the default action to discard all traffic
iptables -P INPUT DENY
iptables -P OUTPUT DENY

# Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward

Ubuntu路由器转发端口

答案1

答案2

相关内容