- 论坛徽章:
- 0
|
原帖由 skylove 于 2006-3-1 17:47 发表
这样redirect 2次不划算的,事实上dnat是没有任何问题的,不是转指不成功
晕,你和 q1208c 都没明白我的意思,只要数据包被处理过(target),都会逃出 netfilter 匹配框架
我来举例说明好了
[root@PT_LINUX root]# iptables -t nat -I PREROUTING -s 61.48.85.30 -p tcp --dport 80 -j REDIRECT --to 23
[root@PT_LINUX root]# iptables -t nat -I PREROUTING 2 -s 61.48.85.30 -p tcp --dport 23 -j REDIRECT --to 21
加入了两条规则,从我的 IP 过来的,访问 TCP/80 的,先转到 TCP/23,再转到 TCP/21
[root@PT_LINUX root]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 778K packets, 80M bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 61.48.85.30 0.0.0.0/0 tcp dpt:80 redir ports 23
0 0 REDIRECT tcp -- * * 61.48.85.30 0.0.0.0/0 tcp dpt:23 redir ports 21
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:26881 to:172.17.39.3
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:26881 to:172.17.39.3
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:36881 to:172.17.39.3
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:36881 to:172.17.39.3
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8881 to:172.25.39.2
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:8881 to:172.25.39.2
Chain POSTROUTING (policy ACCEPT 179K packets, 7202K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ppp0 172.17.39.0/24 0.0.0.0/0
50 3200 MASQUERADE all -- * ppp0 172.25.39.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2449 packets, 132K bytes)
pkts bytes target prot opt in out source destination
按照你们的理论我 telnet IP 80 后,应该无相应才对(因为我有 telnet 服务,没有 ftp 服务),应该两条策略都匹配到数据
[root@PT_LINUX root]# iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 778K packets, 80M bytes)
pkts bytes target prot opt in out source destination
1 48 REDIRECT tcp -- * * 61.48.85.30 0.0.0.0/0 tcp dpt:80 redir ports 23
0 0 REDIRECT tcp -- * * 61.48.85.30 0.0.0.0/0 tcp dpt:23 redir ports 21
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:26881 to:172.17.39.3
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:26881 to:172.17.39.3
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:36881 to:172.17.39.3
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:36881 to:172.17.39.3
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8881 to:172.25.39.2
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:8881 to:172.25.39.2
Chain POSTROUTING (policy ACCEPT 179K packets, 7202K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * ppp0 172.17.39.0/24 0.0.0.0/0
68 4352 MASQUERADE all -- * ppp0 172.25.39.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2451 packets, 133K bytes)
pkts bytes target prot opt in out source destination
[root@PT_LINUX root]#
而实际呢?我 telnet IP 80 后,出现了登录界面,而且第二条策略没有匹配到任何东西,不知我这样说你们能明白了吗?
这个问题我在 34 楼和 41 楼的时候都已经说过
[ 本帖最后由 platinum 于 2006-3-1 18:32 编辑 ] |
|