- 论坛徽章:
- 0
|
一台NAT主机,两张网卡,一个内网地址INIP,一个外网地址WANIP。
一台WEB服务器,内网地址WEBIP,网关为INIP
内网:192.168.0.0/24
iptable规则:
1、filter表
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 WANIP tcp multiport dports 10000,22
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 WEBIP tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
2、nat表
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 WANIP tcp dpt:80 to:WEBIP:80
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- 0.0.0.0/0 WEBIP tcp dpt:80 to:INIP #问题就出在这条规则,如果这条规则删除,外网就访问不了WEB,但加上这条规则,外网就可以访问WEB,但我觉得DNAT就可以让外网访问内网服务器了,为什么要加SNAT呢?
SNAT all -- 192.168.0.0/24 0.0.0.0/0 to:WANIP
Chain OUTPUT (policy ACCEPT)
target prot opt source destination |
|