isware

iptables是一款好用的系統(tǒng)工具，本文講下iptables 端口轉(zhuǎn)發(fā)。

我首先運(yùn)行以下script

#filename gw.sh

PATH=$PATH:/usr/sbin:/sbin

echo "1" >/proc/sys/net/ipv4/ip_forward

modprobe ip_tables

modprobe ip_nat_ftp

modprobe ip_conntrack_ftp

iptables -F INPUT

iptables -F FORWARD

iptables -F POSTROUTING -t nat

iptables -F PREROUTING -t nat

iptables -P FORWARD DROP

iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT

iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 80 -j DNAT --to 10.0.0.2:80

iptables -A FORWARD -p tcp -d 192.168.1.201 --dport 80 -j ACCEPT

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT

然后在外部訪問，沒問題。

然后我改了一下這個(gè)script:

#filename gw.sh

PATH=$PATH:/usr/sbin:/sbin

echo "1" >/proc/sys/net/ipv4/ip_forward

modprobe ip_tables

modprobe ip_nat_ftp

modprobe ip_conntrack_ftp

iptables -F INPUT

iptables -F FORWARD

iptables -F POSTROUTING -t nat

iptables -F PREROUTING -t nat

iptables -P FORWARD DROP

iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT

iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 8000 -j DNAT --to 10.0.0.2:80

iptables -A FORWARD -p tcp -d 192.168.1.201 --dport 8000 -j ACCEPT

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT

#!/bin/sh

PATH=$PATH:/usr/sbin:/sbin

echo "1" >/proc/sys/net/ipv4/ip_forward

modprobe ip_tables

modprobe ip_nat_ftp

modprobe ip_conntrack_ftp

iptables -F INPUT

iptables -F FORWARD

iptables -F POSTROUTING -t nat

iptables -F PREROUTING -t nat

iptables -P FORWARD DROP

iptables -t nat -P PREROUTING DROP

iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT

iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 81 -j DNAT --to 10.0.

0.2:80

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -d 192.168.1.201 --dport 21 -j DNAT --to 10.0.

0.2:21

iptables -A FORWARD -p tcp -d 10.0.0.2 --dport 21 -j ACCEPT

看一我的規(guī)則：

[root@redhat unixboy]# /sbin/iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

Chain FORWARD (policy DROP)

target prot opt source destination

ACCEPT all -- 10.0.0.0/24 anywhere

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

ACCEPT tcp -- anywhere 10.0.0.2 tcp dpt:http

ACCEPT tcp -- anywhere 10.0.0.2 tcp dpt:ftp

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

[root@redhat unixboy]# /sbin/iptables -L -t nat

Chain PREROUTING (policy DROP)

target prot opt source destination

DNAT tcp -- anywhere 192.168.1.201 tcp dpt:81 to:10.0.0.2:80

DNAT tcp -- anywhere 192.168.1.201 tcp dpt:ftp to:10.0.0.2:21

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

MASQUERADE all -- 10.0.0.0/24 anywhere

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

通過上面的文章描述，我們找到iptables 端口轉(zhuǎn)發(fā)的問題，并解決了他！希望對你們有用！