服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 端口重新路由与iptables不工作
Intereting Posts
为什么nginx内部redirect不会发生 在haproxy.cfg中结合后端块的重复 交换文件碎片:事实还是虚构? BIOS更新失败DELL R620 对于一个SaaS应用程序,如何让客户使用自己的域名? 我有一个单一的IP上运行的VPS,我可以redirect域到端口或我需要单独的IP? 有谁知道一个好的商业系统发送服务通知电子邮件? 缓慢的networking服务器连接或硬盘 计数login到服务器的Windows用户 在与Hyper-V相同的主轴上运行多个Server 2008实例? 运行Fedora 8,从未升级过。 怎么做? Hyper-V来宾Windows 2008 0xCA上的BSOD 与我们的RAID10 Ubuntu安装grub的问题 如何从我的本地电脑在vps中调用postfix发送电子邮件到我的雅虎帐户? centos 6.6,sh:zip:找不到命令

端口重新路由与iptables不工作

我想重新路由所有通信从一个端口例如4445(从本地)到另一台机器在局域网的另一个端口,例如3305.我预计这应该做的交易: 

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 4445 -j DNAT --to 192.168.72.1:3305

我正在用目标机器听 

 nc -k -l 3305

并直接连接到该IP:端口工作和NC显示传输的消息。 

 telnet 192.168.72.1 3305 Trying 192.168.72.1... Connected to 192.168.72.1. Escape character is '^]'. test ^]

但是,只要我想利用我的iptables规则突然连接被拒绝: 

 $>telnet localhost 4445 Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused

我多次阅读ip转发必须被激活: 

 $>cat /proc/sys/net/ipv4/ip_forward 1

因此我的IP转发应该是活动的,并且在从0改变到1之后我重启了机器。

我还检查了iptables是否列出规则: 

  $>iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:4445 to:192.168.72.1:3305 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination 

 $>iptables -L -n -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4745 586K ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 4745 586K ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0 121 8712 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4445 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 3344 655K ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0 3344 655K ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0 29 3082 ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0 29 3082 ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0 29 3082 ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0 29 3082 ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-after-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-input (1 references) pkts bytes target prot opt in out source destination 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138 0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 121 8712 ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-after-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-forward (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-input (1 references) pkts bytes target prot opt in out source destination 146 223K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4471 353K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68 128 9132 ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900 128 9132 ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-before-logging-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-logging-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-before-output (1 references) pkts bytes target prot opt in out source destination 146 223K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 3169 428K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 29 3082 ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-logging-allow (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) pkts bytes target prot opt in out source destination 7 420 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST 121 8712 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-reject-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-reject-output (1 references) pkts bytes target prot opt in out source destination Chain ufw-skip-to-policy-forward (0 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-input (7 references) pkts bytes target prot opt in out source destination 121 8712 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-skip-to-policy-output (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-track-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-input (1 references) pkts bytes target prot opt in out source destination Chain ufw-track-output (1 references) pkts bytes target prot opt in out source destination 3 180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW 26 2902 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW Chain ufw-user-forward (1 references) pkts bytes target prot opt in out source destination Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22 6 360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 Chain ufw-user-limit (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain ufw-user-logging-forward (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-input (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-logging-output (0 references) pkts bytes target prot opt in out source destination Chain ufw-user-output (1 references) pkts bytes target prot opt in out source destination

为什么这不能按预期工作/我的错误是什么?

这至less会有两个原因:

  1. 您在PREROUTING链中添加了一个DNAT目标规则,并且在本地连接时不会被击中。 Intead,你需要把它添加到nat表中的OUTPUT链。
  2. 你已经指定了input接口-i eth0 ,你的testingstream量不会来自这个接口。 它将遍历回送接口lo

您可以通过更改您的规则来阅读: 

 iptables -A OUTPUT -t nat -p tcp --dport 4445 -j DNAT --to 192.168.72.1:3305

当然,您可以同时保留这两个规则(针对传入stream量和本地生成的stream量)。

随着@ Khaledbuild议作为答案…不要忘记开火: sudo iptables -A INPUT -p tcp --dport 4445 -j ACCEPT