我正在尝试将Ubuntu 14.04配置为私有网络和公共网络之间的NAT网关.
>公共界面 – > eth0(178.x.x.x)
>专用接口 – > eth0:0(192.168.206.190/17)
我已经尝试了很多iptables规则的组合,但我无法获得流量路由.我已经确认网关可以看到互联网,并且专用网络上的主机可以看到网关,并且默认网关设置正确.
net.ipv4.ip_forward = 1在sysctl中设置.
我的iptables规则如下.我的iptables经验很少,所以我很可能错过了一些东西.
# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *security :INPUT ACCEPT [215:14912] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [133:16208] COMMIT # Completed on Thu Apr 21 12:38:44 2016 # Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *raw :PREROUTING ACCEPT [215:14912] :OUTPUT ACCEPT [133:16208] COMMIT # Completed on Thu Apr 21 12:38:44 2016 # Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *nat :PREROUTING ACCEPT [3:132] :INPUT ACCEPT [3:132] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Thu Apr 21 12:38:44 2016 # Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *mangle :PREROUTING ACCEPT [215:14912] :INPUT ACCEPT [215:14912] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [133:16208] :POSTROUTING ACCEPT [133:16208] COMMIT # Completed on Thu Apr 21 12:38:44 2016 # Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016 *filter :INPUT ACCEPT [46:3296] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [28:3484] -A FORWARD -i eth0:0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth0:0 -j ACCEPT COMMIT # Completed on Thu Apr 21 12:38:44 2016
iptables -L -v
Chain INPUT (policy ACCEPT 15 packets,1044 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets,0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0:0 eth0 anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT all -- eth0 eth0:0 anywhere anywhere Chain OUTPUT (policy ACCEPT 10 packets,1016 bytes) pkts bytes target prot opt in out source destination
以下是专用网络上主机的配置:
netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default nat 0.0.0.0 UG 0 0 0 eth0 192.168.128.0 * 255.255.128.0 U 0 0 0 eth0
ping’nat’确认主持人可以看到’nat’:
ping nat PING nat (192.168.206.190) 56(84) bytes of data. 64 bytes from nat (192.168.206.190): icmp_seq=1 ttl=64 time=0.359 ms
ping 8.8.8.8显示没有流量路由:
ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. ^C --- 8.8.8.8 ping statistics --- 3 packets transmitted,0 received,100% packet loss,time 1999ms
我认为问题在于这个规则
-A FORWARD -i eth0:0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
您必须更改接口的位置
-A FORWARD -i eth0 -o eth0:0 -m state --state RELATED,ESTABLISHED -j ACCEPT