我在GCP上有一个VPC,带有一个拥有公共IP的堡垒主机。 我正在尝试从防火墙后面的本地计算机连接到堡垒服务器后面特定端口上的实例。
SSH通过堡垒运行,端口在VPC中的GCP实例之间打开。
我正在尝试创建从本地计算机到堡垒到端口2181上的zookeeper的端口转发。
我已经设置了ip表,但是如果执行tcptraceroute,我会在途中丢失数据包。
方案如下:
本地计算机->防火墙->堡垒-> Zookeeper
从本地计算机到Zookeeper(192.168.80.11)的SSH连接有效(通过堡垒)
我的配置如下:
sudo iptables -t nat -A PREROUTING -p tcp --dport 2181 -j DNAT --to-destination 192.168.80.11:2181
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
它根本不起作用,我在做什么错了?
我的Ip表中有一些奇怪的条目:
:OUTPUT ACCEPT [83590:46593196]
COMMIT
# Completed on Mon May 11 09:33:24 2020
# Generated by xtables-save v1.8.2 on Mon May 11 09:33:24 2020
*raw
:PREROUTING ACCEPT [130202:45658294]
:OUTPUT ACCEPT [83590:46593196]
COMMIT
# Completed on Mon May 11 09:33:24 2020
# Generated by xtables-save v1.8.2 on Mon May 11 09:33:24 2020
*mangle
:PREROUTING ACCEPT [130202:45658294]
:INPUT ACCEPT [130201:45657860]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [83590:46593196]
:POSTROUTING ACCEPT [83593:46593358]
COMMIT
# Completed on Mon May 11 09:33:24 2020
# Generated by xtables-save v1.8.2 on Mon May 11 09:33:24 2020
*nat
:PREROUTING ACCEPT [234:14414]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2181 -j DNAT --to-destination 192.168.80.11:2181
:INPUT ACCEPT [233:13980]
:POSTROUTING ACCEPT [126:8408]
:OUTPUT ACCEPT [126:8408]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Mon May 11 09:33:24 2020