我已将 Ubuntu pc 配置为路由器,并且对具有多个输入接口的 DNAT 规则感到困惑。当我尝试 ping ISP-1 IP时,路由器从 external_p 应答,ISP-2 IP从 external_s 应答。但是当我打开ISP-1 IP :80 或ISP-2 IP :80 时,它会从 external_p 回答两个 IP。如何使用收到请求的接口配置它对 DNAT 的应答?
ip rule show
0: from all lookup local
300: from <ISP-1 IP> lookup external_p
400: from <ISP-2 IP> lookup external_s
32766: from all lookup main
32767: from all lookup default
ip route
default via <ISP-1 GW> dev vlan_ext_p metric 100
default via <ISP-2 GW> dev vlan_ext_s metric 200
ip route show table external_p
default via <ISP-1 GW> dev vlan_ext_p proto static
ip route show table external_s
default via <ISP-2 GW> dev vlan_ext_s proto static
iptables-save
*nat
-A PREROUTING -i vlan_ext_p -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.4.2
-A PREROUTING -i vlan_ext_s -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.4.2
-A POSTROUTING -s 172.16.0.0/12 -o vlan_ext_p -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/12 -o vlan_ext_s -j MASQUERADE
COMMIT
*filter
-A FORWARD -d 172.17.4.2/32 -i vlan_ext_p -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FORWARD -d 172.17.4.2/32 -i vlan_ext_s -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -s 172.16.0.0/12 -j ACCEPT