关于端口映射的,朋友们帮忙看看那出了问题~~

fairlyzrt

结构: 公司使用adsl通过linux redhat上网,两张网卡,一张接内网是192.168.16.0,一张接adsl,现在要使用ts工具(一种聊天工具),服务器设在192.168.16.18:8767上,我做了映射,可是没法连接上,不知道那里错了~~
防火墙设置如下:
# Generated by iptables-save v1.3.0 on Tue Jun 27 09:45:44 2006
*mangle
:FORWARD ACCEPT [26436:1557350]
:INPUT ACCEPT [416444:169196149]
:OUTPUT ACCEPT [412729:171417124]
OSTROUTING ACCEPT [415147:171735666]
REROUTING ACCEPT [443648:170792259]
#-A FORWARD -o eth0 -d 192.168.16.24 -j MARK --set-mark 10
COMMIT
# Completed on Tue Jun 27 09:45:44 2006
# Generated by iptables-save v1.3.0 on Tue Jun 27 09:45:44 2006
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
# -A INPUT -i eth3 -j ACCEPT
#-A INPUT -p tcp -m tcp -i ppp0 --dport 6502 -j ACCEPT
# ň獀 SYN-Flood 窰ю阑
-N syn-flood
-A syn-flood -m limit --limit 100/s --limit-burst 150 -j RETURN
-A syn-flood -j DROP
-I INPUT -j syn-flood
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp -i ppp0 --icmp-type any -j ACCEPT
-A INPUT -p tcp -m tcp -i ppp0 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A INPUT -p tcp -m tcp -i ppp0 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp -i ppp0 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A INPUT -p tcp -m tcp -i ppp0 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp -i ppp0 --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -p tcp -m tcp -i ppp0 --tcp-flags FIN,SYN FIN,SYN -j DROP
-A INPUT -p tcp -s 61.31.18.192/255.255.255.240 -i ppp0 -j ACCEPT
-A INPUT -p tcp -m tcp -s 61.31.18.192/255.255.255.240 -i ppp0 --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp -s 61.31.18.192/255.255.255.240 -i ppp0 --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp -s 61.31.18.192/255.255.255.240 -i ppp0 --dport 873 -j ACCEPT
#-A INPUT -p tcp -m tcp -s 61.31.18.192/255.255.255.240 -i ppp0 --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp -s 220.132.101.200/32 -i ppp0 -j ACCEPT
-A INPUT -p tcp -m tcp -s 220.132.101.200/32 -i ppp0 --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp -i ppp0 --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp -i ppp0 --dport 22 -j DROP
-A INPUT -p tcp -m tcp -i ppp0 --dport 23 -j DROP
-A INPUT -p udp -m udp -i ppp0 --dport 23 -j DROP
-A OUTPUT -p tcp -s 192.168.16.18 -j ACCEPT
-A OUTPUT -p udp -s 192.168.16.18 -j ACCEPT
-A OUTPUT -p tcp -m tcp -s 192.168.16.0/255.255.255.0 --dport 110 --sport 1024:65535 -j ACCEPT
# Completed on Tue Jun 27 09:45:44 2006
# Generated by iptables-save v1.3.0 on Tue Jun 27 09:45:44 2006
*nat
:OUTPUT ACCEPT [4:284]
OSTROUTING ACCEPT [5:332]
REROUTING ACCEPT [542:45946]
-A PREROUTING -s 192.168.16.20/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A PREROUTING -s 192.168.16.40/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A POSTROUTING -s 192.168.16.0/255.255.255.0 -o ppp0 -j MASQUERADE
#-A PREROUTING -s 192.168.16.253/255.255.255.240 -p tcp -m tcp --dport 80 -j ACCEPT
#-A PREROUTING -s 192.168.16.0/255.255.255.0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -s 192.168.16.0/255.255.255.0 -p tcp -m tcp --dport 22 -j DROP
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 8767 -j DNAT --to-destination 192.168.16.18:8767
-A POSTROUTING -s 192.168.16.0/24 -d 192.168.16.18 -p tcp -m tcp --dport 8767 -j SNAT --to-source 192.168.16.3
COMMIT
# Completed on Tue Jun 27 09:45:44 2006

fairlyzrt

-A PREROUTING -i ppp0 -p tcp -m tcp --dport 8767 -j DNAT --to-destination 192.168.16.18:8767
-A POSTROUTING -s 192.168.16.0/24 -d 192.168.16.18 -p tcp -m tcp --dport 8767 -j SNAT --to-source 192.168.16.3
COMMIT

这句就是我做的映射,不知道那里错了,不能使用~~

fairlyzrt

有人幫忙看看不~~~

roamingo

Post by fairlyzrt

-A OUTPUT -p tcp -s 192.168.16.18 -j ACCEPT
-A OUTPUT -p udp -s 192.168.16.18 -j ACCEPT

上面很多规则我也不太熟，但这两句似乎没什么用。网关自己产生的包才通过OUTPUT链，子网其它机器来的包只通过nat/mangle的PREROUTING。

Post by fairlyzrt

*nat
:OUTPUT ACCEPT [4:284]
OSTROUTING ACCEPT [5:332]
REROUTING ACCEPT [542:45946]
-A PREROUTING -s 192.168.16.20/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A PREROUTING -s 192.168.16.40/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A POSTROUTING -s 192.168.16.0/255.255.255.0 -o ppp0 -j MASQUERADE
#-A PREROUTING -s 192.168.16.253/255.255.255.240 -p tcp -m tcp --dport 80 -j ACCEPT

没看懂。默认已经是ACCEPT了，为何还用这么多ACCEPT啊？

Post by fairlyzrt

-A PREROUTING -i ppp0 -p tcp -m tcp --dport 8767 -j DNAT --to-destination 192.168.16.18:8767

我看到的一个映射内网web服务器的例子是这样写的xxx.xxx.xxx.xxx是外网接口IP， 0.2是web服务器：
-t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx
                 --dport 8888 -j DNAT --to 192.168.0.2:80
-A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT

但你的FORWARD默认已经是ACCEPT了。

Post by fairlyzrt

-A POSTROUTING -s 192.168.16.0/24 -d 192.168.16.18 -p tcp -m tcp --dport 8767 -j SNAT --to-source 192.168.16.3

没看懂，内网用户访问内网服务器不会经过网关啊。

没看出问题。还是从最简单的开始试吧，清空所有的表，默认都是Accept，只加上dnat那条看行不行。可以的话，再一条一条加上，看加到哪里出问题。另外，你从外网连接的是adsl IP:8767, 而不是192.168.16.18:8767吧！

faint

Post by fairlyzrt
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 8767 -j DNAT --to-destination 192.168.16.18:8767
-A POSTROUTING -s 192.168.16.0/24 -d 192.168.16.18 -p tcp -m tcp --dport 8767 -j SNAT --to-source 192.168.16.3
COMMIT

这句就是我做的映射,不知道那里错了,不能使用~~

如果只要做外网的端口映射，只要像下面即可。。

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8767 -j DNAT --to 192.168.16.18:8767
iptables -A FORWARD -i ppp0 -p tcp -m tcp --dport 8767 -j ACCEPT