首页新闻找找看学习计划

为什么iptables nat不生效,好忧伤啊,求助

0
[待解决问题]

两台机器,第一台机器的eth0是:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.101.196.229 netmask 255.255.255.192 broadcast 10.101.196.255
ether 44:8a:5b:dc:09:f0 txqueuelen 1000 (Ethernet)
RX packets 10686458262 bytes 10973523980186 (9.9 TiB)
RX errors 0 dropped 437544 overruns 0 frame 0
TX packets 11952718833 bytes 12835727709250 (11.6 TiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

同时有一个进程S使用的是虚拟网卡桥接
virbr0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:6f:08:16 txqueuelen 0 (Ethernet)
RX packets 168 bytes 24912 (24.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 256 bytes 47472 (46.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

现在进程S启动后,这是一个http服务,状态如下:
DHCP sending discover
DHCP Got offer for 192.168.122.18
DHCP sending request for 192.168.122.18
DHCP Got ack on request
DHCP ip: 192.168.122.18
DHCP nm: 255.255.255.0
DHCP gw: 192.168.122.1

我在本机器执行:curl 192.168.122.18:10000,可以返回值。
现在想要在另一台机器上访问这个服务,
那么想通过net转换处理,将外部访问地址转成内部192.168.122.18:10000服务。

配置如下:
sudo iptables -t nat -A PREROUTING -d 10.101.196.229 -p tcp --dport 10000 -j DNAT --to 192.168.122.18:10000
sudo iptables -t nat -A POSTROUTING -d 192.168.122.18 -p tcp --dport 10000 -j SNAT --to 10.101.196.229

执行iptables -S输出:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N DOCKER
-N HYPER
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i hyper0 -p tcp -m tcp --dport 9997 -j ACCEPT
-A INPUT -i hyper0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i hyper0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i hyper0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o hyper0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i hyper0 -j HYPER
-A FORWARD -o hyper0 -j HYPER
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.122.18/32 -p tcp -m tcp --dport 10000 -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT

在另一台机器上执行:curl 10.101.196.229:10000 访问无效,这是为啥呢?纠结好几天了!求助啊~~~

xiaodaodao的主页 xiaodaodao | 初学一级 | 园豆:114
提问于:2017-10-25 00:21
< >
分享
所有回答(0)
清除回答草稿
   您需要登录以后才能回答,未注册用户请先注册