第二部分講一下內網服務的對外發布,以發布Web伺服器為例。配置環境和方法與第一部分相似。
例如要把內網中一台IP地址為192.168.0.126的伺服器上的網站(預設連接埠為80),通過NAT伺服器的8080連接埠發布給互連網上的使用者訪問,配置如下:
還是進入Webmin防火牆配置部分的NAT配置介面,這次需要配置“Packets before routing (PREROUTING)”規則,按“Add Role”按鈕,開啟規則配置介面,“Action to take”選“Destination NAT”,“IPs and ports for DNAT”分別填寫192.168.0.126和80,Destination address or network填寫等於(Equals) 10.0.0.118,就是外網卡的IP地址;Network protocol填寫等於 TCP;Destination TCP or UDP port填寫等於8080,別的選項選擇預設值。然後儲存(Save),再按“Apply Configuration”按鈕,使規則生效。
再次注意,如果在外網開啟瀏覽器,輸入網址http://10.0.0.118:8080,仍然看不到發布的網站,請配置防火牆的由外向內的轉寄規則(Forwarded packets (FORWARD)),問題往往出現在這裡(防火牆給駭客造成了大麻煩,也給我們自己帶來了小麻煩)。注意資料的流向,是從網卡eth0到網卡eth1,規則是:
Accept - If input interface is eth0 and output interface is eth1
全部配置完畢,/etc/sysconfig/iptables檔案內容如下:
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
:My-test-Chain - [0:0]
-A INPUT -p tcp -m tcp -i eth0 --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp -i eth0 --dport 137:139 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 -j REJECT --syn
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 -j REJECT --syn
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 -j REJECT --syn
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 -j REJECT --syn
-A My-test-Chain -p icmp -d 10.0.0.118 -i eth0 -j DROP
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
# Not ping 10.0.0.118
-A INPUT -p icmp -d 10.0.0.118 -i eth0
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -j RH-Lokkit-0-50-INPUT
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j SNAT --to-source 10.0.0.118
-A PREROUTING -p tcp -m tcp -d 10.0.0.118 --dport 8080 -j DNAT --to-destination 192.168.0.126:80
COMMIT
# Completed
請注意與NAT服務發布配置有關的關鍵語句:
-A PREROUTING -p tcp -m tcp -d 10.0.0.118 --dport 8080 -j DNAT --to-destination 192.168.0.126:80
本文來自“十萬個為什麼”電腦學習網 http://www.why100000.com
http://www.why100000.com/_Linux/doc/RHLinux_Webmin_Nat.swf
作者:張慶(網眼)2008-1-21
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
