本文出自:http://www.mpyun.com/post/119/
因爲某些原因需要把訪問10.0.3.49上的httpd服務重定向到10.0.3.26上.所以研究了一下用iptables的NAT實現IP與端口的重定向,其實很簡單,只需要兩步。
1,首先需要確保linux服務器10.0.3.49開啓了數據轉發功能:
echo 1 > /proc/sys/net/ipv4/ip_forward
2.10.0.3.49做NAT的ip和端口80的重定向。
iptables -t nat -A PREROUTING -p tcp --dport 80 -d 10.0.3.49 -j DNAT --to 10.0.3.26:80
iptables -t nat -A POSTROUTING -d 10.0.3.26 -p tcp --dport 80 -j SNAT --to 10.0.3.49:80
iptables -A FORWARD -d 10.0.3.26 -j ACCEPT
如果還是沒有成功,用tcpdump -nn -i any port 80 看兩臺服務器網卡上是否有數據進入和出去,將檢查自己的iptables是否放行,我的iptables規則是這樣設置的:
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 21 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP --dport 65400:65410 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP --dport 22 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP --dport 25 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p UDP --dport 53 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP --dport 53 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -j ACCEPT
iptables -A INPUT -p TCP --dport 110 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP --dport 443 --sport 1024:65534 -j ACCEPT
/etc/init.d/iptables save
遇到的問題:
1.沒有設置iptables -A FORWARD -d 10.0.3.26 -j ACCEPT
10.0.3.49上查看數據:
[root@vb01 ~]# tcpdump -nn -i any port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
20:20:27.704953 IP 10.0.3.27.54604 > 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:20:27.706000 IP 10.0.3.27.54605 > 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:20:27.951043 IP 10.0.3.27.54607 > 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:20:30.703240 IP 10.0.3.27.54604 > 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:20:30.710931 IP 10.0.3.27.54605 > 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:20:30.949540 IP 10.0.3.27.54607 > 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:20:36.698054 IP 10.0.3.27.54604 > 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460,nop,nop,sackOK], length 0
20:20:36.715184 IP 10.0.3.27.54605 > 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460,nop,nop,sackOK], length 0
20:20:36.951390 IP 10.0.3.27.54607 > 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460,nop,nop,sackOK], length 0
可以看到Flags全是S標誌,表示TCP連接請求沒有迴應,所以本機iptables可能沒有設置允許目的地址是10.0.3.26的數據的轉發。