Squid 프록시를 통해 LAN 네트워크의 트래픽을 리디렉션하고 싶지만 iptables규칙에 몇 가지 문제가 있습니다.
다음 규칙을 사용할 때:
# iptables -I FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.196:3128
다음 오류가 발생합니다.
x_tables: ip_tables: DNAT target: only valid in nat table, not filter
체인을 사용해 보았지만 PREROUTING내 iptables에는 이와 같은 것이 없습니다.
# iptables -I PREROUTING -s 192.168.1.0/255.255.255.0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.196:3128
iptables: No chain/target/match by that name.
iptables 버전을 사용하고 있습니다v.1.4.10
# iptables -t nat -L PREROUTING
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
prerouting_rule all -- anywhere anywhere
zone_lan_prerouting all -- anywhere anywhere
zone_wan_prerouting all -- anywhere anywhere
나의 모든것iptables -nLv
root@OpenWrt:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
776 93902 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3231 164K syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
7098 429K input_rule all -- * * 0.0.0.0/0 0.0.0.0/0
7096 429K input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 MAC XX:XX:XX:XX:XX:XX udp spt:22509
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 MAC XX:XX:XX:XX:XX:XX tcp spts:59000:65399
0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 MAC XX:XX:XX:XX:XX:XX udp spts:49950:65399
8271 3071K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
451 44484 forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0
451 44484 forward all -- * * 0.0.0.0/0 0.0.0.0/0
5 276 reject all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
7408 581K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
206 13814 output_rule all -- * * 0.0.0.0/0 0.0.0.0/0
206 13814 output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain forward (1 references)
pkts bytes target prot opt in out source destination
446 44208 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_forward all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain forwarding_lan (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan (1 references)
pkts bytes target prot opt in out source destination
Chain input (1 references)
pkts bytes target prot opt in out source destination
515 43070 zone_lan all -- br-lan * 0.0.0.0/0 0.0.0.0/0
6560 385K zone_wan all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain input_lan (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan (1 references)
pkts bytes target prot opt in out source destination
Chain output (1 references)
pkts bytes target prot opt in out source destination
206 13814 zone_lan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
203 13301 zone_wan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (5 references)
pkts bytes target prot opt in out source destination
3249 166K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
3257 198K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
3231 164K RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan (1 references)
pkts bytes target prot opt in out source destination
515 43070 input_lan all -- * * 0.0.0.0/0 0.0.0.0/0
515 43070 zone_lan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
3 513 ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0
515 43070 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * br-lan 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- br-lan * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * br-lan 0.0.0.0/0 0.0.0.0/0
5 272 reject all -- br-lan * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
446 44208 zone_wan_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
5 272 forwarding_lan all -- * * 0.0.0.0/0 0.0.0.0/0
5 272 zone_lan_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan (1 references)
pkts bytes target prot opt in out source destination
64 21010 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
6496 364K input_wan all -- * * 0.0.0.0/0 0.0.0.0/0
6496 364K zone_wan_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
644 57237 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_REJECT (2 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- * eth1 0.0.0.0/0 0.0.0.0/0
6496 364K reject all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wan all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
답변1
규칙이 nat테이블에 들어가도록 지정해야 하며, DNAT 명령은 PREROUTING 체인에 들어가야 하며 루프가 생성되지 않도록 주의해야 합니다.
iptables -t nat -I PREROUTING -i br-lan -s ! 192.168.1.196 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.196:3128
기본 테이블은 filter테이블입니다.
소스 주소를 다시 쓰려면 MASQUERADE/SNAT도 필요하다는 점을 잊지 마세요.
iptables -t nat -I POSTROUTING -p tcp --dport 80 -j MASQUERADE
이 가이드더 많은 옵션과 설명을 제공하세요.