我在DMZ上有一台计算机A,而且我希望将端口5555上的所有内容都路由到端口6666上的计算机B(192.168.1.10)。我在sysctl.conf中启用了net.ipv4.ip_forward = 1并设置了以下iptables规则:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5555 -j DNAT --to-destination 192.168.1.10:6666 iptables -t nat -A POSTROUTING -j MASQUERADE 但是,这是行不通的,关于我可能会失踪的任何想法? 这是我的iptablesconfiguration。
# Generated by iptables-save v1.4.9 on Sat Oct 23 19:25:17 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [191:16773] :TCP - [0:0] :UDP - [0:0] -A INPUT -s 127.0.0.0/8 -i eth0 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW -j ACCEPT -A INPUT -p udp -m state --state NEW -j UDP -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j TCP -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -j REJECT --reject-with icmp-proto-unreachable -A TCP -p tcp -m tcp --dport 5555 -j ACCEPT COMMIT # Completed on Sat Oct 23 19:25:17 2010 # Generated by iptables-save v1.4.9 on Sat Oct 23 19:25:17 2010 *nat :PREROUTING ACCEPT [491:165229] :OUTPUT ACCEPT [17:2012] :POSTROUTING ACCEPT [17:2012] COMMIT # Completed on Sat Oct 23 19:25:17 2010
您的筛选器表中的FORWARD策略设置为DROP。