我想做個DNAT,把外部port 515的封包送到內網192.168.0.80:515
搞了很久一直不成功,所以請大家幫忙看看我的iptables抓蟲
系統是CentOS 5.4 i386,外網卡是eth0, 內網卡是eth1
底下是/etc/sysconfig/iptables檔,基本上就是iptables的指令
service iptables restart時會由iptables-restore讀入
SELinux permissive, /proc/sys/net/ipv4/ip_forward值=1
紫色的部分是SNAT,是正常工作的
黃色的是DNAT,紅色的log只有在PREROUTING chain有記錄到,
但在FORWARD chain就沒有記錄了...
是什麼原因讓封包有經過PREROUTING但沒去FORWARD? @@
#---iptables---#
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A PREROUTING -i eth0 -p tcp --dport 515 -j LOG
-A PREROUTING -i eht0 -p tcp --dport 515 -j DNAT --to-destination 192.168.0.80
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
# 這條chain "RH-Firewall-1-INPUT"基本上是INPUT的alias,是系統防火牆工具設的
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j LOG
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
--
Nice to meld you.
--
搞了很久一直不成功,所以請大家幫忙看看我的iptables抓蟲
系統是CentOS 5.4 i386,外網卡是eth0, 內網卡是eth1
底下是/etc/sysconfig/iptables檔,基本上就是iptables的指令
service iptables restart時會由iptables-restore讀入
SELinux permissive, /proc/sys/net/ipv4/ip_forward值=1
紫色的部分是SNAT,是正常工作的
黃色的是DNAT,紅色的log只有在PREROUTING chain有記錄到,
但在FORWARD chain就沒有記錄了...
是什麼原因讓封包有經過PREROUTING但沒去FORWARD? @@
#---iptables---#
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A PREROUTING -i eth0 -p tcp --dport 515 -j LOG
-A PREROUTING -i eht0 -p tcp --dport 515 -j DNAT --to-destination 192.168.0.80
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
# 這條chain "RH-Firewall-1-INPUT"基本上是INPUT的alias,是系統防火牆工具設的
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j LOG
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
--
Nice to meld you.
--
All Comments