主页 / ubuntu / 问题 / 720207
Accepted
Oli
Asked: 2016-01-13 05:14:51 +0800 CST

桥接接口之间的端口转发

  • 772

所以我有一堆与我的主要以太网设备绑定的桥接接口(em1怪HP)。它们为我在服务器上运行的各种 LXC 容器提供服务,并且可以轻松地让我从网络上的其他物理设备访问它们。

name    id                  STP   interfaces    IP
br0     8000.989096db8b8a   no    em1           10.10.0.2
                                  veth236T4V    10.10.0.15
                                  veth269GNR    10.10.0.16
                                  vethBYBC0Y    10.10.0.17

这些都从主网络 DHCP(分配静态租约)获取 IP。

我想将已在主主机(、、端口 9000、9001)上运行的服务移动em110.10.0.2第一个 LXC 容器。我已经这样做了,现在可以通过它访问东西10.10.0.15:9000-9001,但网络上的所有其他东西都希望看到它10.10.0.2:9000-9001

传统的端口转发iptables似乎不起作用。我试过了:

-A PREROUTING -i em1 -p tcp --dport 9000 -j DNAT --to 10.10.0.15:9000
-A PREROUTING -i em1 -p tcp --dport 9001 -j DNAT --to 10.10.0.15:9001

我已经尝试过br0em1但都没有工作。

在凌晨 3 点的冰雹研究中,我发现了大量的东西表明我需要ebtables,但我以前从未听说过。问题的一半似乎是大多数人使用lxcbrN带有 LXC 的设备,但我需要外部 IP。我不确定我需要什么。ebtables文档似乎将“端口”一词定义为其他内容,这无济于事。

我已经超出了我的深度。我再也感觉不到地板了,我开始踩水了。任何人都可以告诉我一条线并确定需要在桥接接口之间重定向几个端口吗?

iptables

1 个回答

  1. Best Answer

    你可以使用iptables。以下是建议解决方案的脚本版本。我不知道您可能已经拥有哪些 iptables 规则,因此可能需要进行一些合并工作。

    #!/bin/sh
FWVER=0.02
#
# test-oli rule set 2016.01.14 Ver:0.02
#     Having tested this on my test server using port 80,
#     convert for what Oli actually wants (which I can not test).
#
# test-oli rule set 2016.01.14 Ver:0.01
#     Port forward when this computer has one nic and
#     is not a router / gateway.
#     In this case the destination is a guest VM on this
#     host but, with bridged networking and all IP addresses
#     from the main LAN, that should not be relevant.
#
#     This script may conflict with other iptables rules on the
#     host, I don't know. On my test server, clobbering the existing
#     iptables rules is O.K. because I do not use the virbr0 stuff,
#     nor the default virtual network,  anyhow.
#
#     References:
#     http://askubuntu.com/questions/720207/port-forwarding-between-bridged-interfaces
#     http://ubuntuforums.org/showthread.php?t=1855192
#     http://www.linuxquestions.org/questions/linux-networking-3/iptables-forwarding-with-one-nic-80009/
#
#     run as sudo
#
echo "test-oli rule set version $FWVER..\n"

# The location of the iptables program
#
IPTABLES=/sbin/iptables

# Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
# Use br0 instead of eth0. While using eth0 seems to work fine, the packet counters
# don't work, so debugging information is better and more complete using br0.
#
#
INTIF="br0"
INTIP="10.10.0.2"
FORIP="10.10.0.15"
UNIVERSE="0.0.0.0/0"

echo " Internal Interface: $INTIF  Internal IP: $INTIP  Forward IP $FORIP"

# CRITICAL:  Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward

# Clearing any previous configuration
#
echo " Clearing any existing rules and setting default policy to ACCEPT.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z

# First we change the destination of any incoming port 80 traffic
#
$IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF --dport 9000 -j DNAT --to-destination $FORIP:9000
$IPTABLES -t nat -A PREROUTING -p tcp -i $INTIF --dport 9001 -j DNAT --to-destination $FORIP:9001

# And then we do the actual forward
# FORWARD rules would only be needed if the default policy is not ACCEPT
# (Shown here for completeness)
#
$IPTABLES -A FORWARD -p tcp -i $INTIF -d $FORIP --dport 9000 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INTIF -d $FORIP --dport 9001 -j ACCEPT

# Now, we need to change the source address, otherwise the reply packets
# would be sent directly to the client, causing confusion.
$IPTABLES -t nat -A POSTROUTING -o $INTIF -j SNAT --to-source $INTIP

echo "test-oli rule set version $FWVER done."
    • 6

相关问题