关于iptables的DNAT的“Destination Host Unreachable”问题
各位帮我看看,先谢谢了。
iptables的rule如下: (其实非常简单就起了个SNAT和DNAT)
[root@black ~]# cat iptables-nat-only
#!/bin/sh
###########DEFINE###################
LAN_INT="eth0"
WAN_INT="eth1"
##########REFLASH###################
/sbin/iptables -F
/sbin/iptables -t nat -F
##########DEFAULT POLICY###########
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
###########################Open ip_forward ###################
echo "1" >/proc/sys/net/ipv4/ip_forward
#####################localhost Policy########################
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
##########NAT CHAIN###############
/sbin/iptables -t nat -A POSTROUTING -s 10.4.0.0/16 -o $WAN_INT -j MASQUERADE
/sbin/iptables -t nat -A PREROUTING -d 124.126.86.139 -s ! 10.4.3.150 -i $WAN_INT -j DNAT --to 10.4.3.150
/sbin/iptables -t nat -A PREROUTING -d 124.126.86.138 -s ! 10.4.3.119 -i $WAN_INT -j DNAT --to 10.4.3.119
结果是:
[root@black ~]# ping 124.126.86.138
PING 124.126.86.138 (124.126.86.13
56(84) bytes of data.
From 124.126.86.137 icmp_seq=1 Destination Host Unreachable
From 124.126.86.137 icmp_seq=2 Destination Host Unreachable
From 124.126.86.137 icmp_seq=3 Destination Host Unreachable
From 124.126.86.137 icmp_seq=5 Destination Host Unreachable
From 124.126.86.137 icmp_seq=6 Destination Host Unreachable
网络配的也正常。
[root@black ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@black ~]# /sbin/ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:E0:4C:85
B5
inet addr:10.4.1.198 Bcast:10.4.255.255 Mask:255.255.0.0
inet6 addr: fe80::2e0:4cff:fe85:dbd5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:388928 errors:0 dropped:0 overruns:0 frame:0
TX packets:283499 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:360801180 (344.0 MiB) TX bytes:70902224 (67.6 MiB)
Interrupt:9 Base address:0xdc00
eth1 Link encap:Ethernet HWaddr 00:50:BA:CE:CD:17
inet addr:124.126.86.137 Bcast:124.126.87.255 Mask:255.255.248.0
inet6 addr: fe80::250:baff:fece:cd17/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:278040 errors:0 dropped:0 overruns:0 frame:0
TX packets:327738 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:64348624 (61.3 MiB) TX bytes:355518009 (339.0 Mi
[root@black ~]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
124.126.80.0 0.0.0.0 255.255.248.0 U 0 0 0 eth1
10.4.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 124.126.80.1 0.0.0.0 UG 0 0 0 eth1
在另一端内网的WWW server 10.4.3.150
[root@ntracker ~]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:11:25:57:05:E7
inet addr:10.4.3.150 Bcast:10.4.255.255 Mask:255.255.0.0
inet6 addr: fe80::211:25ff:fe57:5e7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:169483 errors:0 dropped:0 overruns:0 frame:0
TX packets:156909 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:58954478 (56.2 MiB) TX bytes:96535321 (92.0 MiB)
Base address:0x2000 Memory:d0120000-d0140000
10.4.3.150的缺省网关指向防火墙10.4.1.198
[root@ntracker ~]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.4.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.4.1.198 0.0.0.0 UG 0 0 0 eth0
这是怎么回事,寻求帮助!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
不好意思,上面稍微贴错了一点。
10.4.3.150对应的是124.126.86.139
但问题依旧:
[root@black ~]# ping 124.126.86.139
PING 124.126.86.139 (124.126.86.139) 56(84) bytes of data.
From 124.126.86.137 icmp_seq=1 Destination Host Unreachable
From 124.126.86.137 icmp_seq=2 Destination Host Unreachable
From 124.126.86.137 icmp_seq=3 Destination Host Unreachable