DNAT一直不成功 orz - Linux
By Rebecca
at 2009-11-28T23:59
at 2009-11-28T23:59
Table of Contents
我想做個DNAT,把外部port 515的封包送到內網192.168.0.80:515
搞了很久一直不成功,所以請大家幫忙看看我的iptables抓蟲
系統是CentOS 5.4 i386,外網卡是eth0, 內網卡是eth1
底下是/etc/sysconfig/iptables檔,基本上就是iptables的指令
service iptables restart時會由iptables-restore讀入
SELinux permissive, /proc/sys/net/ipv4/ip_forward值=1
紫色的部分是SNAT,是正常工作的
黃色的是DNAT,紅色的log只有在PREROUTING chain有記錄到,
但在FORWARD chain就沒有記錄了...
是什麼原因讓封包有經過PREROUTING但沒去FORWARD? @@
#---iptables---#
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A PREROUTING -i eth0 -p tcp --dport 515 -j LOG
-A PREROUTING -i eht0 -p tcp --dport 515 -j DNAT --to-destination 192.168.0.80
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
# 這條chain "RH-Firewall-1-INPUT"基本上是INPUT的alias,是系統防火牆工具設的
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j LOG
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
--
Nice to meld you.
--
搞了很久一直不成功,所以請大家幫忙看看我的iptables抓蟲
系統是CentOS 5.4 i386,外網卡是eth0, 內網卡是eth1
底下是/etc/sysconfig/iptables檔,基本上就是iptables的指令
service iptables restart時會由iptables-restore讀入
SELinux permissive, /proc/sys/net/ipv4/ip_forward值=1
紫色的部分是SNAT,是正常工作的
黃色的是DNAT,紅色的log只有在PREROUTING chain有記錄到,
但在FORWARD chain就沒有記錄了...
是什麼原因讓封包有經過PREROUTING但沒去FORWARD? @@
#---iptables---#
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j MASQUERADE
-A PREROUTING -i eth0 -p tcp --dport 515 -j LOG
-A PREROUTING -i eht0 -p tcp --dport 515 -j DNAT --to-destination 192.168.0.80
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
# 這條chain "RH-Firewall-1-INPUT"基本上是INPUT的alias,是系統防火牆工具設的
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j LOG
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
--
Nice to meld you.
--
Tags:
Linux
All Comments
By Yuri
at 2009-11-29T12:28
at 2009-11-29T12:28
By Mia
at 2009-11-29T15:05
at 2009-11-29T15:05
By Rosalind
at 2009-12-03T23:35
at 2009-12-03T23:35
By Enid
at 2009-12-08T22:56
at 2009-12-08T22:56
By Audriana
at 2009-12-12T10:34
at 2009-12-12T10:34
Related Posts
dhcpd 在區網內同時分配private與public ip給眾多mac
By Poppy
at 2009-11-28T21:29
at 2009-11-28T21:29
X-window -> console 問題
By Quanna
at 2009-11-28T15:50
at 2009-11-28T15:50
ubuntu9.10上跑vmware
By Agnes
at 2009-11-28T15:40
at 2009-11-28T15:40
請問 sshd(openssh) 的 log 資訊
By Brianna
at 2009-11-28T12:30
at 2009-11-28T12:30
squid在某網段無法無法連線
By Susan
at 2009-11-28T12:19
at 2009-11-28T12:19