请帮忙写个iptables防火墙规则

oyqiaojin

serverA:
          IP:192.168.1.200(内网)
          操作系统:windows  server  2008  
         

serverB
         IP1:192.168.1.100(内网)
         IP2:101.68.70.84(外网)
         操作系统centos 6.3


现在我要使,外网的机器访问serverB UDP协议的162端口时映射到serverA的UDP协议的161端口.
请问如何操作?

chenyx

try

1. iptables -t nat -A PREROUTING -d 101.68.70.84 -p udp --dport 162 -j DNAT --to 192.168.1.200:161

复制代码

oyqiaojin

回复 2# chenyx
  请看我的规则
# Generated by iptables-save v1.4.7 on Thu Mar 14 19:11:09 2013
*nat
REROUTING ACCEPT [0:0]
OSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 180.168.36.245/32 -p udp -m udp --dport 162 -j DNAT --to-destination 192.168.1.104:161
-A PREROUTING -d 180.168.36.245/32 -p udp -m udp --dport 162 -j DNAT --to-destination 192.168.1.101:161
COMMIT
# Completed on Thu Mar 14 19:11:09 2013
# Generated by iptables-save v1.4.7 on Thu Mar 14 19:11:09 2013
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -s 60.195.252.107/32 -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -s 60.195.252.110/32 -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -s 60.195.252.107/32 -p udp -m udp --dport 162 -j ACCEPT
-A INPUT -s 60.195.252.110/32 -p udp -m udp --dport 162 -j ACCEPT

-A INPUT -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 20/sec --limit-burst 200 -j ACCEPT

-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i em1 -p tcp -m tcp --dport 23245 -j ACCEPT
-A INPUT -i em1 -p tcp -m tcp --dport 80 -j ACCEPT
         
-A FORWARD -s 192.168.1.0/24 -o em2 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
            
-A INPUT -i em2 -j ACCEPT
COMMIT


不知道问题出在哪

   

oyqiaojin

我自己回答：
少了这句
iptables -t nat -A POSTROUTING -j MASQUERADE