最近在线下搭建的一套转发的实验机 大概内容是 用vpn访问内网web服务器 因特网访问通过防火墙的转发到内网web服务器上 保证网络通信正常
0
手画的拓扑图 字太丑别打我{:4_99:} 下面是iptables规则 感觉能简化一下
- *filter
- :INPUT DROP [18:6056]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [71107:71641938]
- -A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
- -A INPUT -s 192.168.100.0/255.255.255.0 -j ACCEPT
- -A INPUT -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 1194 -j ACCEPT
- -A INPUT -i tun0 -j ACCEPT
- -A INPUT -p icmp -j ACCEPT
- -A INPUT -s 192.168.100.0/255.255.255.0 -p icmp -j ACCEPT
- -A INPUT -p udp -m udp --dport 53 -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A FORWARD -s 192.168.100.0/255.255.255.0 -j ACCEPT
- -A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.100.0/255.255.255.0 -j ACCEPT
- -A FORWARD -d 192.168.100.199 -p tcp -m tcp --dport 80 -j ACCEPT
- -A FORWARD -d 192.168.100.115 -p tcp -m tcp --dport 80 -j ACCEPT
- -A FORWARD -o tun0 -j ACCEPT
- -A FORWARD -i tun0 -j ACCEPT
- -A FORWARD -p icmp -j ACCEPT
- -A FORWARD -p udp -m udp --sport 53 -j ACCEPT
- -A FORWARD -p udp -m udp --dport 53 -j ACCEPT
- COMMIT
- # Completed on Thu Aug 6 08:55:43 2015
- # Generated by iptables-save v1.3.5 on Thu Aug 6 08:55:43 2015
- *nat
- :PREROUTING ACCEPT [12084:846369]
- :POSTROUTING ACCEPT [37:2263]
- :OUTPUT ACCEPT [17:1375]
- -A PREROUTING -d 192.168.1.26 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.199:80
- -A PREROUTING -d 192.168.1.36 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.115:80
- -A POSTROUTING -s 192.168.100.0/255.255.255.0 -j SNAT --to-source 192.168.1.26
- -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE
- COMMIT
编辑回复