1.
eth0 is the inner interface (10.10.60.0/24)eth1 is the outer interface (111.111.111.0/24)
inner server 10.10.60.1 , listen port 22
outer server 111.111.111.10 / 10.10.60.2 , open 3456 to redirect to 10.10.60.1:22
client ip 222.222.222.222
2.
111.111.111.10's iptables
NAT table
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# client connect to 111.111.111.10:3456 , and forwarding to 10.10.60.1:22
-A PREROUTING -i eth1 -p tcp -s 222.222.222.222 --dport 3456 -j DNAT --to-destination 10.10.60.1:3306
# MASQUERADE way also works
#-A POSTROUTING -o eth0 -d 10.10.60.1 -p tcp --dport 22 -j MASQUERADE
-A POSTROUTING -o eth0 -p tcp -d 10.10.60.1 --dport 22 -j SNAT --to-source 10.10.60.2
COMMIT
Filter Table
#client 222.222.222.222 connect to 111.111.111.111:3456 will redirect to 10.10.60.1:22 and let port forwarding
-A FORWARD -i eth1 -p tcp -s 222.222.222.222 --dport 22 -j ACCEPT
-A FORWARD -i eth0 -p tcp -s 10.10.60.1 --sport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
沒有留言:
張貼留言