我有一外網(wǎng)IP:218.17.xxx.xxx,現(xiàn)在想用這個(gè)IP通過(guò)linux映射到內(nèi)部的一臺(tái)WEB服務(wù)器上IP為:192.168.188.5,就是不管在外面還是內(nèi)部都是用218.17.xxx.xxx來(lái)訪問(wèn)WEB(這WEB在內(nèi)部的192.168.188.5上),怎么做?
?江湖無(wú)賴(lài) 回復(fù)于:2003-09-18 11:35:52Q:一局域網(wǎng)192.168.1.0/24,有web和ftp服務(wù)器192.168.1.10、192.168.1.11,網(wǎng)關(guān)linux,內(nèi)網(wǎng)eth0,IP為192.168.1.1,外網(wǎng)eth1,IP為a.b.c.d,怎樣作NAT能使內(nèi)外網(wǎng)都能訪問(wèn)公司的服務(wù)器?
A:#?web
#?用DNAT作端口映射
iptables?-t?nat?-A?PREROUTING?-d?a.b.c.d?-p?tcp?--dport?80?-j?DNAT?--to?192.168.1.10
#?用SNAT作源地址轉(zhuǎn)換(關(guān)鍵),以使回應(yīng)包能正確返回
iptables?-t?nat?-A?POSTROUTING?-d?192.168.1.10?-p?tcp?--dport?80?-j?SNAT?--to?192.168.1.1
#?一些人經(jīng)常忘了打開(kāi)FORWARD鏈的相關(guān)端口,特此增加
iptables?-A?FORWARD?-o?eth0?-d?192.168.1.10?-p?tcp?--dport?80?-j?ACCEPT
iptables?-A?FORWARD?-i?eth0?-s?192.168.1.10?-p?tcp?--sport?80?-m?--state?ESTABLISHED?-j?ACCEPT
#?ftp
modprobe?ip_nat_ftp?###加載ip_nat_ftp模塊(若沒(méi)有編譯進(jìn)內(nèi)核),以使ftp能被正確NAT
modprobe?ip_conntrack_ftp?###加載ip_conntrack_ftp模塊
#?用DNAT作端口映射
iptables?-t?nat?-A?PREROUTING?-d?a.b.c.d?-p?tcp?--dport?21?-j?DNAT?--to?192.168.1.11
iptables?-A?FORWARD?-o?eth0?-d?192.168.1.11?-p?tcp?--dport?21?-j?ACCEPT
iptables?-A?FORWARD?-i?eth0?-s?192.168.1.11?-p?tcp?--sport?21?-m?--state?ESTABLISHED?-j?ACCEPT
iptables?-A?FORWARD?-i?eth0?-s?192.168.1.11?-p?tcp?--sport?20?-m?--state?ESTABLISHED,RELATED?-j?ACCEPT
iptables?-A?FORWARD?-o?eth0?-d?192.168.1.11?-p?tcp?--dport?20?-m?--state?ESTABLISHED?-j?ACCEPT
iptables?-A?FORWARD?-o?eth0?-d?192.168.1.11?-p?tcp?--dport?1024:?-m?--state?ESTABLISHED,RELATED?-j?ACCEPT
iptables?-A?FORWARD?-i?eth0?-s?192.168.1.11?-p?tcp?--sport?1024:?-m?--state?ESTABLISHED?-j?ACCEPT
#?用SNAT作源地址轉(zhuǎn)換(關(guān)鍵),以使回應(yīng)包能正確返回
iptables?-t?nat?-A?POSTROUTING?-d?192.168.1.11?-p?tcp?--dport?21?-i?eth0?-j?SNAT?--to?192.168.1.1?
Q:網(wǎng)絡(luò)環(huán)境如上一問(wèn)題,還在網(wǎng)關(guān)上用squid進(jìn)行透明代理,也作了SNAT了,為什么內(nèi)網(wǎng)還是不能訪問(wèn)公司的web服務(wù)器?iptables如下:
iptables?-t?nat?-A?PREROUTING?-s?192.168.1.0/24?-p?tcp?--dport?80?-i?eth0?-j?REDIRECT?--to?3128
iptables?-t?nat?-A?PREROUTING?-d?a.b.c.d?-p?tcp?--dport?80?-j?DNAT?--to?192.168.1.10
iptables?-t?nat?-A?POSTROUTING?-d?192.168.1.10?-p?tcp?--dport?80?-j?SNAT?--to?192.168.1.1
A:?jiǎn)栴}主要在PREROUTING鏈中REDIRECT和DNAT的順序,由于先進(jìn)行了REDIRECT(重定向),則到第二句DNAT時(shí),端口已變?yōu)?128,不匹配第二句的目的端口80,DNAT也就不會(huì)執(zhí)行,不能到達(dá)正確的目的地。解決的辦法有兩個(gè):
1、把REDIRECT語(yǔ)句放到DNAT語(yǔ)句的后面,如下:
iptables?-t?nat?-A?PREROUTING?-d?a.b.c.d?-p?tcp?--dport?80?-j?DNAT?--to?192.168.1.10
iptables?-t?nat?-A?PREROUTING?-s?192.168.1.0/24?-p?tcp?--dport?80?-i?eth0?-j?REDIRECT?--to?3128
2、在REDIRECT語(yǔ)句中增加匹配目的地址"-d?!?a.b.c.d",如下:
iptables?-t?nat?-A?PREROUTING?-s?192.168.1.0/24?-d?!?a.b.c.d?-p?tcp?--dport?80?-i?eth0?-j?REDIRECT?--to?3128
iptables?-t?nat?-A?PREROUTING?-d?218.17.xxx.xxx??-p?tcp?--dprot?80?-j?DNAT?--to??192.168.188.5:80
|