服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Ubuntu作为NAT网关与iptables
Intereting Posts
我怎样才能为我的网站创build一个“失败的鲸鱼”? 从ipv6 dhcp服务器获取IP 什么CHMOD设置,以防止用户查看目录? 两个托pipe服务和注册商之间的域名拆分 RPM安装脚本丢失? 替代smb.conf /正常的sambaconfiguration 我如何使用dnspath访问内部服务器? 如何阻止本地用户访问本地端口? 活动目录:跟踪旧的密码更改和失效date? 文件服务器通过VPN连接 如果logrotate的行为有*,并且在一个path中有一个明确的文件名在日志中旋转? GetFileSize方法在146170227字节的文件上失败 snmpget SNMPtestingMIB使用pass脚本获得“没有这样的实例” 启动计划益智游戏 在CentOS中打开端口8080

Ubuntu作为NAT网关与iptables

我正在尝试将Ubuntu 14.04configuration为专用networking和公用networking之间的NAT网关

  • 公共接口 – > eth0 (178.xxx)
  • 专用接口 – > eth0:0 (192.168.206.190/17)

我已经尝试了许多iptables规则的组合,但我无法获得stream量路由出去。 我已经确认网关可以看到networking,而且私网的主机可以看到网关,并且默认网关设置正确。

net.ipv4.ip_forward=1sysctl设置。

我的iptables规则如下。 我的iptables经验是微不足道的,所以很可能我错过了一些东西。 

 # Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *security :INPUT ACCEPT [215:14912] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [133:16208] COMMIT # Completed on Thu Apr 21 12:38:44 2016 # Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *raw :PREROUTING ACCEPT [215:14912] :OUTPUT ACCEPT [133:16208] COMMIT # Completed on Thu Apr 21 12:38:44 2016 # Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *nat :PREROUTING ACCEPT [3:132] :INPUT ACCEPT [3:132] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Thu Apr 21 12:38:44 2016 # Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *mangle :PREROUTING ACCEPT [215:14912] :INPUT ACCEPT [215:14912] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [133:16208] :POSTROUTING ACCEPT [133:16208] COMMIT # Completed on Thu Apr 21 12:38:44 2016 # Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *filter :INPUT ACCEPT [46:3296] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [28:3484] -A FORWARD -i eth0:0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth0:0 -j ACCEPT COMMIT # Completed on Thu Apr 21 12:38:44 2016

iptables -L -v 

 Chain INPUT (policy ACCEPT 15 packets, 1044 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0:0 eth0 anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0:0 anywhere anywhere Chain OUTPUT (policy ACCEPT 10 packets, 1016 bytes) pkts bytes target prot opt in out source destination

以下是专用networking上主机的configuration: 

 netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default nat 0.0.0.0 UG 0 0 0 eth0 192.168.128.0 * 255.255.128.0 U 0 0 0 eth0

ping'nat'确认主机可以看到'nat': 

 ping nat PING nat (192.168.206.190) 56(84) bytes of data. 64 bytes from nat (192.168.206.190): icmp_seq=1 ttl=64 time=0.359 ms

8.8.8.8的ping显示没有stream量路由: 

 ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ^C --- 8.8.8.8 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 1999ms

我认为问题在于这个规则 

 -A FORWARD -i eth0:0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

你必须改变接口的位置 

 -A FORWARD -i eth0 -o eth0:0 -m state --state RELATED,ESTABLISHED -j ACCEPT

提供者(Linode)在虚拟机pipe理程序/networking级别通过IP地址过滤stream量,所以具有公共IP地址的stream量根本不会横跨专用networking。 现在我已经改变了提供者,NAT工作得很好。