아래 명령 예제를 사용하여 간단한 iptable 규칙을 만들려고 합니다. 그러나 라우팅이 작동하지 않습니다. iptables에 익숙하지 않기 때문에 입력이 누락되었습니다.
sudo iptables -t nat -A PREROUTING -p tcp -d 10.10.20.10 --dport 8321 -j DNAT --to-destination 192.168.56.101:8321
이 IP는 10.10.20.10어떤 인터페이스에도 할당되지 않습니다.
iptables 규칙은 다음과 같습니다.
# Generated by iptables-save v1.6.1 on Tue Mar 5 14:21:30 2019
*nat
:PREROUTING ACCEPT [5:2009]
:INPUT ACCEPT [5:2009]
:OUTPUT ACCEPT [141:9332]
:POSTROUTING ACCEPT [141:9332]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -d 10.10.20.10/32 -p tcp -m tcp --dport 8321 -j DNAT --to-destination 192.168.56.101:8321
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Tue Mar 5 14:21:30 2019
# Generated by iptables-save v1.6.1 on Tue Mar 5 14:21:30 2019
*filter
:INPUT ACCEPT [923:68802]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [810:87756]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
출력 은 다음 ip addr과 같습니다
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:46:d2:d7 brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3
valid_lft 85059sec preferred_lft 85059sec
inet6 fe80::a00:27ff:fe46:d2d7/64 scope link
valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:0e:42:40 brd ff:ff:ff:ff:ff:ff
inet6 fd0c:6493:12bf:2942::ac18:1164/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fe0e:4240/64 scope link
valid_lft forever preferred_lft forever
4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:bf:83:a2 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.101/24 brd 192.168.56.255 scope global dynamic enp0s9
valid_lft 908sec preferred_lft 908sec
inet6 fe80::a00:27ff:febf:83a2/64 scope link
valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:8a:d2:57:bd brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
IP 라우팅 출력은 다음과 같습니다.
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15
10.0.2.2 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.56.0/24 dev enp0s9 proto kernel scope link src 192.168.56.101
답변1
nat PREROUTING DNAT 규칙이 설정된 동일한 호스트의 트래픽은 nat PREROUTING 체인을 통과하지 않으므로 적용되는 것을 볼 수 없습니다.
대신 로컬에서 생성된 패킷에 대해 nat OUTPUT 체인을 사용해야 합니다.
sudo iptables -t nat -A OUTPUT -p tcp -d 10.10.20.10 --dport 8321 -j DNAT --to-destination 192.168.56.101:8321
이 키워드를 사용하여 Google에서 사진을 검색하면 iptables의 처리 흐름도를 찾을 수 있으므로 iptables의 작동 원리를 명확하게 이해할 수 있습니다.