Tom*_*art 11 networking iptables nat
I'd like to redirect local requests to port which is translated with NAT. I have following rules:
iptables -t nat -A PREROUTING -p tcp --dport 9020 -j DNAT --to 10.0.3.11:80
however request coming from localhost are rejected:
wget http://127.0.0.1:9020
Connecting to 127.0.0.1:9020... failed: Connection refused.
当我从任何其他计算机连接时,它可以工作。有没有办法在不重新编译内核的情况下做到这一点CONFIG_IP_NF_NAT_LOCAL=y?https://wiki.debian.org/Firewalls-local-port-redirection(似乎已过时)。
更新:
iptables -L -v -n --line-numbers -t nat:
Chain PREROUTING (policy ACCEPT 26 packets, 3230 bytes)
num pkts bytes target prot opt in out source destination
4 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9020 to:10.0.3.11:80
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE all -- * * 10.0.0.0/16 0.0.0.0/0
Tom*_*art 12
根据@Hauke Laging 的评论,我整理了以下内容:
# connections from outside
iptables -t nat -A PREROUTING -p tcp --dport 9020 -j DNAT --to 10.0.3.11:80
# for local connection
iptables -t nat -A OUTPUT -p tcp --dport 9020 -j DNAT --to 10.0.3.11:80
# Masquerade local subnet
iptables -t nat -A POSTROUTING -s 10.0.3.0/16 -j MASQUERADE
iptables -A FORWARD -o lxcbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i lxcbr0 -o eth0 -j ACCEPT
iptables -A FORWARD -i lxcbr0 -o lo -j ACCEPT
其中lxcbr0是10.0.3.0/16子网eth0中的接口,是与公共 IP 地址的接口。