双网卡squid代理，iptables的配置问题

kevin_chu

1. 系统环境，服务器2台，A和B，网络配置如下：    1）A服务器：双网卡，并配置有vlan，具体信息

        2: eth0: IP 10.255.10.4/24 （外网）
        3: eth1:
        4: eth1.100@eth1: IP 192.168.100.1/24 （内网）

    2）B服务器，单网卡，配有vlan，具体信息
        2: enp4s0f0
        16: enp4s0f0.100@enp4s0f0: ip为 192.168.100.2/24 （内网）
由于B服务器处于内网，无法与外部相连，需要通过A服务器访问。A服务器的用途为B服务器的NAT端口转发（ssh 22），B服务器的squid代理服务器。

2. 问题：现在已经可以通过nat实现B服务器的访问管理，配置完squid代理后，B访问报错，报错内容“http://mirrors.aliyun.com/centos/7/os/x86_64/repodata/repomd.xml: [Errno 14] curl#7 - "Failed connect to 192.168.100.1:3128; No route to host"
”，请问如何配置squid代理和防火墙？

kevin_chu

iptables配置# Generated by iptables-save v1.4.7 on Sat Apr 29 09:56:57 2017
*nat
# REROUTING ACCEPT [15:1777]
# OSTROUTING ACCEPT [4:286]
# :OUTPUT ACCEPT [4:286]
REROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
OSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -d 10.255.10.4/32 --dport 7222 -j DNAT --to-destination 192.168.100.2:22
-A POSTROUTING -p tcp -m tcp -d 192.168.100.2/32 --dport 22 -j SNAT --to-source 192.168.100.1

COMMIT
# Completed on Sat Apr 29 09:56:57 2017
# Generated by iptables-save v1.4.7 on Sat Apr 29 09:56:57 2017
*filter
# :INPUT ACCEPT [0:0]
# :FORWARD ACCEPT [0:0]
# :OUTPUT ACCEPT [1972:197622]
:INPUT ACCEPT [202:53879]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [84:8444]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 7222 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# -A FORWARD -j REJECT --reject-with icmp-host-prohibited

kevin_chu

问题应该是在iptables的策略上，因为停掉防火墙访问正常。但不知道怎么配置。

kevin_chu

问题解决了，现在的策略如下，请问下面那个策略有用哪些策略没用呢？
# Generated by iptables-save v1.4.7 on Thu May  4 13:30:13 2017
*filter
:INPUT ACCEPT [74:8590]
:FORWARD ACCEPT [4237:691352]
:OUTPUT ACCEPT [22718:1253894]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 7222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3128 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 3128 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 3128 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3128 -j ACCEPT
COMMIT
# Completed on Thu May  4 13:30:13 2017
# Generated by iptables-save v1.4.7 on Thu May  4 13:30:13 2017
*nat
REROUTING ACCEPT [1048:78853]
OSTROUTING ACCEPT [58:4465]
:OUTPUT ACCEPT [58:4465]
-A PREROUTING -d 10.255.10.4/32 -p tcp -m tcp --dport 7222 -j DNAT --to-destination 192.168.100.2:22
-A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination 10.255.10.1
-A PREROUTING -s 192.168.100.0/24 -p tcp -m multiport --dports 80,443 -j REDIRECT --to-ports 3128
-A PREROUTING -p udp -m udp --dport 53 -j DNAT --to-destination 223.5.5.5
-A POSTROUTING -d 192.168.100.2/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 192.168.100.1
COMMIT
# Completed on Thu May  4 13:30:13 2017
还有个问题，我去掉的这两个策略是什么意思呢？
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited