我正在尝试将端口 80、443、32400 转发到网络内部的计算机。因此,来自 EXTIP:80 的流量应发送至 SERVERIP:80,并通过 EXTIP:80 返回响应,如果这些更改持续存在,路由器重新启动也会很有帮助。路由器有两个 IP EXTIP 和 INTIP。它直接连接到调制解调器,无需 NAT。路由器管理内部服务器的 NAT。
我已经在互联网上尝试过多次 iptable 更改,通常会产生副作用,例如我无法再通过 SSH 连接到路由器或出站流量停止工作。路由器还运行 ufw 和 failure2ban
答案1
我还没有测试过,但我会尝试这样的事情:
iptables -t nat -A PREROUTING --protocol tcp --destination EXTIP --destination-port 80 -j DNAT --to-destination SERVERIP
其他端口也类似。这可能有帮助吗?
答案2
这听起来像是一组相对简单的规则。
- 允许环回上的任何内容
- 允许出站请求的“另一半”中的任何内容
- 允许任何内容流出(从路由器到 INT、路由器到 EXT、或 INT 到 EXT)
- 允许来自 INT 的端口 22(从您的解释推断)
- 允许来自 EXT 的端口 80 进入,并将其转发到内部服务器
- 允许来自 EXT 的端口 443 进入,并将其转发到内部服务器
- 允许来自 EXT 的端口 32400 进入,并将其转发到内部服务器
这是我的建议。未经测试,因为我现在没有可用的两个接口虚拟机。
# Definitions
INTIF=eth1 # Internal interface
EXTIF=eth0 # External interface
SERVERIP=192.168.1.12 # Internal webserver address
# Prepare to wipe the ruleset, so default to allowing everything
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Erase the rulesets
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
# Allow anything on loopback
iptables -i lo -j ACCEPT
# Allow anything in that is the "other half" of an outbound request
iptables -A INPUT -m state --state ESTABLISHED,RELATED
# Allow anything out (from router to INT, router to EXT, or INT to EXT)
iptables -A OUTPUT -j ACCEPT
# Allow port 22 in from INT (inferred from your explanation)
# Strictly, this is only required if you apply additional restrictions
# in the next rule, but I'm going to leave it here anyway
iptables -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT
# Allow everything through from INT
# This allows internal access to the router too. You could add some extra
# rules here that disallow access to both the router's own IP addresses
iptables -A INPUT -i $INTIF -j ACCEPT
# Allow port 80 in from EXT, and forward it on to the internal server
# Allow port 443 in from EXT, and forward it on to the internal server
# Allow port 32400 in from EXT, and forward it on to the internal server
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT --to-destination $SERVERIP
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 443 -j DNAT --to-destination $SERVERIP
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 32400 -j DNAT --to-destination $SERVERIP
# Set the default action to discard all traffic
iptables -P INPUT DENY
iptables -P OUTPUT DENY
# Enable forwarding
echo 1 >/proc/sys/net/ipv4/ip_forward