大家好,感谢您的提前帮助。
我对iptables相当陌生,只是无法弄清楚我的问题。我希望能够使用命令ssh user@localhost -p 12345
连接192.168.100.11:22中的Ubuntu VM,但我得到的只是connection refused
。
有关我的系统的一些信息:
uname -a
5.4.6-2-MANJARO #1 SMP PREEMPT Tue Dec 24 15:55:20 UTC 2019 x86_64 GNU/Linux
在我的问题中,我尝试了数十行在StackOF中指导的行,但没有成功。以下是最不建议的几行。到目前为止,我已经了解到PREROUTING可能不适用于localhost路由,您应该对OUTPUT链使用规则。在下面的某种组合下,我没有收到任何ssh连接错误,而是一个无限循环,并且在我将iptables占用之前先刷新了。
iptables -t nat -I PREROUTING -p tcp --dport 12345 -j DNAT --to 192.168.100.11:22
iptables -t nat -I PREROUTING -d 127.0.0.1 -p tcp --dport 10001 -j DNAT --to 192.168.100.11:22
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -I FORWARD -o virbr1 -d 192.168.100.11 -j ACCEPT
iptables -A FORWARD -d 127.0.0.1 --dport 12345 -o 192.168.100.11:22
iptables -t nat -I OUTPUT -p tcp -o lo --dport 12345 -j REDIRECT --to-ports 22
https://aboullaite.me/kvm-qemo-forward-ports-with-iptables/
已启用IP转发
#sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
下面是我的iptables-保存,默认状态下只有virbr0和virbr1向上。
# Generated by iptables-save v1.8.3 on Thu Jan 16 11:04:22 2020
*mangle
:PREROUTING ACCEPT [1:105]
:INPUT ACCEPT [1:105]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:161]
:POSTROUTING ACCEPT [3:161]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
-A LIBVIRT_PRT -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Thu Jan 16 11:04:22 2020
# Generated by iptables-save v1.8.3 on Thu Jan 16 11:04:22 2020
*nat
:PREROUTING ACCEPT [1:105]
:INPUT ACCEPT [1:105]
:OUTPUT ACCEPT [1:40]
:POSTROUTING ACCEPT [1:40]
:LIBVIRT_PRT - [0:0]
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Jan 16 11:04:22 2020
# Generated by iptables-save v1.8.3 on Thu Jan 16 11:04:22 2020
*filter
:INPUT ACCEPT [1:105]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:161]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Thu Jan 16 11:04:22 2020
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 2c:fd:a1:70:a8:dd brd ff:ff:ff:ff:ff:ff
inet 192.168.1.17/24 brd 192.168.1.255 scope global dynamic noprefixroute enp4s0
valid_lft 503263sec preferred_lft 503263sec
inet6 fe80::5103:7775:e8a6:43db/64 scope link noprefixroute
valid_lft forever preferred_lft forever
6: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/ether fe:df:34:89:fd:3e brd ff:ff:ff:ff:ff:ff
inet 10.19.15.110/25 brd 10.19.15.127 scope global tap0
valid_lft forever preferred_lft forever
inet6 fe80::fcdf:34ff:fe89:fd3e/64 scope link
valid_lft forever preferred_lft forever
59: virbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:0f:fb:84 brd ff:ff:ff:ff:ff:ff
inet 192.168.100.1/24 brd 192.168.100.255 scope global virbr1
valid_lft forever preferred_lft forever
60: virbr1-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr1 state DOWN group default qlen 1000
link/ether 52:54:00:0f:fb:84 brd ff:ff:ff:ff:ff:ff
65: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:0a:cd:21 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
66: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
link/ether 52:54:00:0a:cd:21 brd ff:ff:ff:ff:ff:ff