通过iptables的NAT转发规则实现在外网可以直接访问局域网内的服务器进行远程连接!
- 服务器A:外网:xxx.xxx.xxx.xxx(公网IP) 内网:172.16.46.98
- 服务器B:内网:172.16.37.124:3389
- 服务器C:内网:172.16.37.10:3389
任务:实现xxx.xxx.xxx.xxx(公网IP):10022映射到172.16.37.124:3389;xxx.xxx.xxx.xxx(公网IP):10023映射到172.16.37.10:3389。
1、先开启ip路由转发功能
# echo 1 > /proc/sys/net/ipv4/ip_forward
#cat /proc/sys/net/ipv4/ip_forward
1
# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
#CentOS7 启用ip转发 # vim /etc/sysctl.d/99-sysctl.conf net.ipv4.ip_forward = 1
# sysctl -p
error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key
error: "net.bridge.bridge-nf-call-iptables" is an unknown key
error: "net.bridge.bridge-nf-call-arptables" is an unknown key
注:此错误可以忽视,也可以使用下面命令解决。
使用以上3个选项阻止桥接流量获得通过主机iptables规则,Netfilter是默认情况下启用了桥梁,如果不阻止会导致严重的混乱。这个错误是由于自动处理可载入的模块bridge没有自动载入。
# modprobe bridge
# lsmod|grep bridge
bridge 48077 0
stp 2067 1 bridge
llc 5352 2 bridge,stp
# sysctl -p
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
2、设置iptables的NAT转发功能
# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Dec 6 20:03:10 2016
*nat
:PREROUTING ACCEPT [4946:531492]
:POSTROUTING ACCEPT [5:384]
:OUTPUT ACCEPT [5:384]
-A PREROUTING -d xxx.xxx.xxx.xxx(公网IP)/32 -p tcp -m tcp --dport 10022 -j DNAT --to-destination 172.16.37.124:3389
-A POSTROUTING -d 172.16.37.124/32 -p tcp -m tcp --dport 3389 -j SNAT --to-source 172.16.46.98:10022
-A PREROUTING -d xxx.xxx.xxx.xxx(公网IP)/32 -p tcp -m tcp --dport 10023 -j DNAT --to-destination 172.16.37.10:3389
-A POSTROUTING -d 172.16.37.10/32 -p tcp -m tcp --dport 3389 -j SNAT --to-source 172.16.46.98:10023
COMMIT
# Completed on Tue Dec 6 20:03:10 2016
# Generated by iptables-save v1.4.7 on Tue Dec 6 20:03:10 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [458:63156]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10022:10023 -j ACCEPT
#-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Dec 6 20:03:10 2016
# service iptables save
# service iptables restart
nat端口转发设置成功后,/etc/sysconfig/iptables
文件里要注释掉下面两行!不然nat转发会有问题!一般如上面在nat转发规则设置好并save和restart防火墙之后就会自动在/etc/sysconfig/iptables
文件里删除掉下面两行内容了。
这两句的意思是:在INPUT表和FORWARD表中拒绝所有其他不符合上述任何一条规则的数据包。并且发送一条host prohibited的消息给被拒绝的主机
# iptables -t nat -L -n #查看防火墙nat规则
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 xxx.xxx.xxx.xxx(公网IP) tcp dpt:10022 to:172.16.37.124:3389
DNAT tcp -- 0.0.0.0/0 xxx.xxx.xxx.xxx(公网IP) tcp dpt:10023 to:172.16.37.10:3389
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- 0.0.0.0/0 172.16.37.124 tcp dpt:3389 to:172.16.46.98:10022
SNAT tcp -- 0.0.0.0/0 172.16.37.10 tcp dpt:3389 to:172.16.46.98:10023
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -L -n -v #查看防火墙nat规则
Chain INPUT (policy ACCEPT 30539 packets, 3412K bytes)
pkts bytes target prot opt in out source destination
146 10386 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 461 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
4 164 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
2 132 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:10022:10023
Chain FORWARD (policy ACCEPT 14 packets, 684 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 238 packets, 24643 bytes)
pkts bytes target prot opt in out source destination
You have new mail in /var/spool/mail/root