我有一外網IP:218.17.xxx.xxx,現在想用這個IP通過linux映射到內部的一臺WEB服務器上IP為:192.168.188.5,就是不管在外面還是內部都是用218.17.xxx.xxx來訪問WEB(這WEB在內部的192.168.188.5上),怎么做?
?江湖無賴 回復于:2003-09-18 11:35:52Q:一局域網192.168.1.0/24,有web和ftp服務器192.168.1.10、192.168.1.11,網關linux,內網eth0,IP為192.168.1.1,外網eth1,IP為a.b.c.d,怎樣作NAT能使內外網都能訪問公司的服務器?
A:#?web
#?用DNAT作端口映射
iptables?-t?nat?-A?PREROUTING?-d?a.b.c.d?-p?tcp?--dport?80?-j?DNAT?--to?192.168.1.10
#?用SNAT作源地址轉換(關鍵),以使回應包能正確返回
iptables?-t?nat?-A?POSTROUTING?-d?192.168.1.10?-p?tcp?--dport?80?-j?SNAT?--to?192.168.1.1
#?一些人經常忘了打開FORWARD鏈的相關端口,特此增加
iptables?-A?FORWARD?-o?eth0?-d?192.168.1.10?-p?tcp?--dport?80?-j?ACCEPT
iptables?-A?FORWARD?-i?eth0?-s?192.168.1.10?-p?tcp?--sport?80?-m?--state?ESTABLISHED?-j?ACCEPT
#?ftp
modprobe?ip_nat_ftp?###加載ip_nat_ftp模塊(若沒有編譯進內核),以使ftp能被正確NAT
modprobe?ip_conntrack_ftp?###加載ip_conntrack_ftp模塊
#?用DNAT作端口映射
iptables?-t?nat?-A?PREROUTING?-d?a.b.c.d?-p?tcp?--dport?21?-j?DNAT?--to?192.168.1.11
iptables?-A?FORWARD?-o?eth0?-d?192.168.1.11?-p?tcp?--dport?21?-j?ACCEPT
iptables?-A?FORWARD?-i?eth0?-s?192.168.1.11?-p?tcp?--sport?21?-m?--state?ESTABLISHED?-j?ACCEPT
iptables?-A?FORWARD?-i?eth0?-s?192.168.1.11?-p?tcp?--sport?20?-m?--state?ESTABLISHED,RELATED?-j?ACCEPT
iptables?-A?FORWARD?-o?eth0?-d?192.168.1.11?-p?tcp?--dport?20?-m?--state?ESTABLISHED?-j?ACCEPT
iptables?-A?FORWARD?-o?eth0?-d?192.168.1.11?-p?tcp?--dport?1024:?-m?--state?ESTABLISHED,RELATED?-j?ACCEPT
iptables?-A?FORWARD?-i?eth0?-s?192.168.1.11?-p?tcp?--sport?1024:?-m?--state?ESTABLISHED?-j?ACCEPT
#?用SNAT作源地址轉換(關鍵),以使回應包能正確返回
iptables?-t?nat?-A?POSTROUTING?-d?192.168.1.11?-p?tcp?--dport?21?-i?eth0?-j?SNAT?--to?192.168.1.1?
Q:網絡環(huán)境如上一問題,還在網關上用squid進行透明代理,也作了SNAT了,為什么內網還是不能訪問公司的web服務器?iptables如下:
iptables?-t?nat?-A?PREROUTING?-s?192.168.1.0/24?-p?tcp?--dport?80?-i?eth0?-j?REDIRECT?--to?3128
iptables?-t?nat?-A?PREROUTING?-d?a.b.c.d?-p?tcp?--dport?80?-j?DNAT?--to?192.168.1.10
iptables?-t?nat?-A?POSTROUTING?-d?192.168.1.10?-p?tcp?--dport?80?-j?SNAT?--to?192.168.1.1
A:問題主要在PREROUTING鏈中REDIRECT和DNAT的順序,由于先進行了REDIRECT(重定向),則到第二句DNAT時,端口已變?yōu)?128,不匹配第二句的目的端口80,DNAT也就不會執(zhí)行,不能到達正確的目的地。解決的辦法有兩個:
1、把REDIRECT語句放到DNAT語句的后面,如下:
iptables?-t?nat?-A?PREROUTING?-d?a.b.c.d?-p?tcp?--dport?80?-j?DNAT?--to?192.168.1.10
iptables?-t?nat?-A?PREROUTING?-s?192.168.1.0/24?-p?tcp?--dport?80?-i?eth0?-j?REDIRECT?--to?3128
2、在REDIRECT語句中增加匹配目的地址"-d?!?a.b.c.d",如下:
iptables?-t?nat?-A?PREROUTING?-s?192.168.1.0/24?-d?!?a.b.c.d?-p?tcp?--dport?80?-i?eth0?-j?REDIRECT?--to?3128
iptables?-t?nat?-A?PREROUTING?-d?218.17.xxx.xxx??-p?tcp?--dprot?80?-j?DNAT?--to??192.168.188.5:80
|