在 http://blog.sina.com.cn/s/blog_702eef650101moqb.html 的基础上,反复测试,得出如下结论。


假设连接172.16.16.44的80端口等同于连接172.16.16.244的22端口,配置文件按下面这样写,转发机172.16.16.44的80端口占不占用都不影响效果儿,只要放行就可以了。注意红字部分是重点。特殊地,当此转发机本机是多网卡的情况,注意POSTROUTING这行最后--to-source后面要加上和destination同网段的ip,否则是没有回路的,就会通信失败,需要注意。

vim /etc/sysconfig/iptables

*nat

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A PREROUTING -d 172.16.16.44/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.16.244:22 

-A POSTROUTING -d 172.16.16.244/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 172.16.16.44 

COMMIT

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A FORWARD -s 172.16.16.244/32 -j ACCEPT

-A FORWARD -d 172.16.16.244/32 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

COMMIT


保存退出后重启iptables服务,别忘了开启转发功能,

vim /etc/sysctl.conf

net.ipv4.ip_forward = 1

保存退出再执行

echo "1" >/proc/sys/net/ipv4/ip_forward