Ubuntu作为带有iptables的NAT网关

前端之家收集整理的这篇文章主要介绍了Ubuntu作为带有iptables的NAT网关前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我正在尝试将Ubuntu 14.04配置为私有网络和公共网络之间的NAT网关.

>公共界面 – > eth0(178.x.x.x)
>专用接口 – > eth0:0(192.168.206.190/17)

我已经尝试了很多iptables规则的组合,但我无法获得流量路由.我已经确认网关可以看到互联网,并且专用网络上的主机可以看到网关,并且默认网关设置正确.

net.ipv4.ip_forward = 1在sysctl中设置.

我的iptables规则如下.我的iptables经验很少,所以我很可能错过了一些东西.

# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*security
:INPUT ACCEPT [215:14912]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [133:16208]
COMMIT
# Completed on Thu Apr 21 12:38:44 2016
# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*raw
:PREROUTING ACCEPT [215:14912]
:OUTPUT ACCEPT [133:16208]
COMMIT
# Completed on Thu Apr 21 12:38:44 2016
# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*nat
:PREROUTING ACCEPT [3:132]
:INPUT ACCEPT [3:132]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Apr 21 12:38:44 2016
# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*mangle
:PREROUTING ACCEPT [215:14912]
:INPUT ACCEPT [215:14912]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [133:16208]
:POSTROUTING ACCEPT [133:16208]
COMMIT
# Completed on Thu Apr 21 12:38:44 2016
# Generated by iptables-save v1.4.21 on Thu Apr 21 12:38:44 2016
*filter
:INPUT ACCEPT [46:3296]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28:3484]
-A FORWARD -i eth0:0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth0:0 -j ACCEPT
COMMIT
# Completed on Thu Apr 21 12:38:44 2016

iptables -L -v

Chain INPUT (policy ACCEPT 15 packets,1044 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets,0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  eth0:0 eth0    anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth0:0  anywhere             anywhere

Chain OUTPUT (policy ACCEPT 10 packets,1016 bytes)
 pkts bytes target     prot opt in     out     source               destination

以下是专用网络上主机的配置:

netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         nat             0.0.0.0         UG        0 0          0 eth0
192.168.128.0   *               255.255.128.0   U         0 0          0 eth0

ping’nat’确认主持人可以看到’nat’:

ping nat
PING nat (192.168.206.190) 56(84) bytes of data.
64 bytes from nat (192.168.206.190): icmp_seq=1 ttl=64 time=0.359 ms

ping 8.8.8.8显示没有流量路由:

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted,0 received,100% packet loss,time 1999ms
我认为问题在于这个规则
-A FORWARD -i eth0:0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

您必须更改接口的位置

-A FORWARD -i eth0 -o eth0:0 -m state --state RELATED,ESTABLISHED -j ACCEPT

猜你在找的Ubuntu相关文章