Write the code. Change the World.
在工作中经常会遇到vpc网络,内网所有机器通过唯一一台对外的proxy机器进行共享上网,这里记录一下如何做好端口转发和管理。
root@jumper:~# iptables -L -t nat --line-numberChain PREROUTING (policy ACCEPT)num target prot opt source destination1 DNAT tcp -- anywhere anywhere tcp dpt:EtherNet/IP-1 to:192.168.1.3:25382 DNAT tcp -- anywhere anywhere tcp dpt:ssh to:192.168.1.2:25383 DNAT tcp -- anywhere anywhere tcp dpt:7687 to:192.168.1.3:76874 DNAT tcp -- anywhere anywhere tcp dpt:dxspider to:192.168.1.3:8873Chain INPUT (policy ACCEPT)num target prot opt source destinationChain OUTPUT (policy ACCEPT)num target prot opt source destinationChain POSTROUTING (policy ACCEPT)num target prot opt source destination1 SNAT tcp -- anywhere newdev.my-domain.com tcp dpt:EtherNet/IP-1 to:192.168.1.12 SNAT tcp -- anywhere dev.my-domain.com tcp dpt:vnwk-prapi to:192.168.1.13 SNAT tcp -- anywhere dev.my-domain.com tcp dpt:ssh to:192.168.1.14 SNAT tcp -- anywhere newdev.my-domain.com tcp spt:7687 to:192.168.1.15 SNAT tcp -- anywhere newdev.my-domain.com tcp spt:dxspider to:192.168.1.16 SNAT all -- 192.168.1.0/24 anywhere to:192.168.1.1
// 删除nat表PREROUTING中的第一个规则iptables -t nat -D PREROUTING 1// 删除nat表中POSTROUTING中的第一个规则iptables -t nat -D POSTROUTING 1
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2233 -j DNAT --to-destination 192.168.1.2:2538iptables -t nat -A POSTROUTING -d 192.168.1.2/32 -p tcp -m tcp --dport 2233 -j SNAT --to-source 192.168.1.1