在工作中经常会遇到vpc网络,内网所有机器通过唯一一台对外的proxy机器进行共享上网,这里记录一下如何做好端口转发和管理。

  1. 展示所有nat表规则 以编号标注
root@jumper:~# iptables -L -t nat --line-number
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT tcp -- anywhere anywhere tcp dpt:EtherNet/IP-1 to:192.168.1.3:2538
2 DNAT tcp -- anywhere anywhere tcp dpt:ssh to:192.168.1.2:2538
3 DNAT tcp -- anywhere anywhere tcp dpt:7687 to:192.168.1.3:7687
4 DNAT tcp -- anywhere anywhere tcp dpt:dxspider to:192.168.1.3:8873
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT tcp -- anywhere newdev.my-domain.com tcp dpt:EtherNet/IP-1 to:192.168.1.1
2 SNAT tcp -- anywhere dev.my-domain.com tcp dpt:vnwk-prapi to:192.168.1.1
3 SNAT tcp -- anywhere dev.my-domain.com tcp dpt:ssh to:192.168.1.1
4 SNAT tcp -- anywhere newdev.my-domain.com tcp spt:7687 to:192.168.1.1
5 SNAT tcp -- anywhere newdev.my-domain.com tcp spt:dxspider to:192.168.1.1
6 SNAT all -- 192.168.1.0/24 anywhere to:192.168.1.1
  1. 删除其中一个规则
// 删除nat表PREROUTING中的第一个规则
iptables -t nat -D PREROUTING 1
// 删除nat表中POSTROUTING中的第一个规则
iptables -t nat -D POSTROUTING 1
  1. 添加转发规则
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2233 -j DNAT --to-destination 192.168.1.2:2538
iptables -t nat -A POSTROUTING -d 192.168.1.2/32 -p tcp -m tcp --dport 2233 -j SNAT --to-source 192.168.1.1