isware

iptables 端口转发

iptables是一款好用的系统工具,本文讲下iptables 端口转发

我首先运行以下script

#filename gw.sh

PATH=$PATH:/usr/sbin:/sbin

echo "1" >/proc/sys/net/ipv4/ip_forward

modprobe ip_tables

modprobe ip_nat_ftp

modprobe ip_conntrack_ftp

iptables -F INPUT

iptables -F FORWARD

iptables -F POSTROUTING -t nat

iptables -F PREROUTING -t nat

iptables -P FORWARD DROP

iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT

iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 80 -j DNAT --to 10.0.0.2:80

iptables -A FORWARD -p tcp -d 192.168.1.201 --dport 80 -j ACCEPT

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT

然后在外部访问,没问题。

然后我改了一下这个script:

#filename gw.sh

PATH=$PATH:/usr/sbin:/sbin

echo "1" >/proc/sys/net/ipv4/ip_forward

modprobe ip_tables

modprobe ip_nat_ftp

modprobe ip_conntrack_ftp

iptables -F INPUT

iptables -F FORWARD

iptables -F POSTROUTING -t nat

iptables -F PREROUTING -t nat

iptables -P FORWARD DROP

iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT

iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 8000 -j DNAT --to 10.0.0.2:80

iptables -A FORWARD -p tcp -d 192.168.1.201 --dport 8000 -j ACCEPT

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT

#!/bin/sh

PATH=$PATH:/usr/sbin:/sbin

echo "1" >/proc/sys/net/ipv4/ip_forward

modprobe ip_tables

modprobe ip_nat_ftp

modprobe ip_conntrack_ftp

iptables -F INPUT

iptables -F FORWARD

iptables -F POSTROUTING -t nat

iptables -F PREROUTING -t nat

iptables -P FORWARD DROP

iptables -t nat -P PREROUTING DROP

iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT

iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 81 -j DNAT --to 10.0.

0.2:80

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 21 -j DNAT --to 10.0.

0.2:21

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 21 -j ACCEPT

看一我的规则:

[root@redhat unixboy]# /sbin/iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy DROP)

target prot opt source destination

ACCEPT all -- 10.0.0.0/24 anywhere

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT tcp -- anywhere 10.0.0.2 tcp dpt:http

ACCEPT tcp -- anywhere 10.0.0.2 tcp dpt:ftp

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@redhat unixboy]# /sbin/iptables -L -t nat

Chain PREROUTING (policy DROP)

target prot opt source destination

DNAT tcp -- anywhere 192.168.1.201 tcp dpt:81 to:10.0.0.2:80

DNAT tcp -- anywhere 192.168.1.201 tcp dpt:ftp to:10.0.0.2:21

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

MASQUERADE all -- 10.0.0.0/24 anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

通过上面的文章描述,我们找到iptables 端口转发的问题,并解决了他!希望对你们有用!

posted on 2011-06-01 13:54 艾斯维亚 阅读(1240) 评论(0)  编辑 收藏 引用


只有注册用户登录后才能发表评论。
网站导航: 博客园   IT新闻   BlogJava   知识库   博问   管理