iptables -t nat -L
編譯好新核心後
# iptables -t nat -nL 提示
iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
解決方案: 編譯核心時加入以下模組
Linux Kernel Configuration
-> Networking support
-> Networking options
-> Network packet filtering framework(netfilter)
-> Core netfilter configuration
-> Netfilter connection tracking support
-> Netbios name service protocal support(new)
-> Netfilter Xtables support (required for ip_tables)
Linux Kernel Configuration
-> Networking support
-> Networking options
-> Network packet filtering framework(netfilter)
-> IP: Netfilter Configuration
-> IPv4 connection tracking support (require for NAT)
-> IP tables support (required for filtering/masq/NAT)
-> Full NAT
-> MASQUERADE target support
-> REDIRECT target support
make -j2
make -j2 all
make -j2 modules_install
make -j2 install
升級完成後重啟重新設定nat即可。
can't initialize iptables table `nat': Table does modprobe ip_tables modprobe ip_conntrack modprobe iptable_filter modprobe ipt_state
etworking --->
Networking options --->
Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
Now just set the modules you need for your netfilter box. That's it, I hope now it works to you.
如果執行 iptable -L 出現以下資訊,那麼就需要重新設定和編譯核心:
iptables v1.4.2: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
配置選項:
Networking —->
Networking options —->
[*] Network packet filtering (replaces ipchains) —>
Core Netfilter Configuration —>
<*> Netfilter Xtables support (required for ip_tables)
IP: Netfilter Configuration —>
<*> Connection tracking (required for masq/NAT)
<*> IP tables support (required for filtering/masq/NAT)
<*> IP range match support
<*> Packet filtering
<*> REJECT target support
<*> Full NAT
ip_forward
除此之外,需要在主機上開啟 ip 轉寄以保持串連通道。
查看是否已開啟 ip 轉寄(1 表示開啟):
cat /proc/sys/net/ipv4/ip_forward
如果未開啟,則用以下命令開啟:
echo 1 > /proc/sys/net/ipv4/ip_forward
儲存設定
以上 iptables 設定和 ip 轉寄設定在重啟系統之後就會消失,因此如果有需要,請將設定儲存。
儲存 iptables 設定:
/etc/init.d/iptables save
設定系統啟動時自動載入 iptables 設定(以 gentoo 為例):
rc-update add iptables default
儲存 ip_forward 設定(在 /etc/sysctl.conf 中設定):
net.ipv4.ip_forward = 1
安全隱患
在開啟了 ip_forward 後,一般要同時開啟 rp_filter (Reverse Path filter),對資料包的源地址進行檢查。
如果在沒有開啟這個設定,就很容易受到來自內部網的 IP 欺騙。
開啟 rp_filter:
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
儲存設定(在 /etc/sysctl.conf 中設定):
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
如果執行 iptable -L 出現以下資訊,那麼就需要重新設定和編譯核心:
iptables v1.4.2: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
配置選項:
Networking —->
Networking options —->
[*] Network packet filtering (replaces ipchains) —>
Core Netfilter Configuration —>
<*> Netfilter Xtables support (required for ip_tables)
IP: Netfilter Configuration —>
<*> Connection tracking (required for masq/NAT)
<*> IP tables support (required for filtering/masq/NAT)
<*> IP range match support
<*> Packet filtering
<*> REJECT target support
<*> Full NAT
以上配置只為連接埠映射準備,如果需要其它功能,請根據需要增加相關的配置。
編譯安裝核心步驟略過。
iptabes
iptables 規則如下:
iptables -t nat -A PREROUTING -p tcp –dport 11101 -d 192.168.1.100 -j DNAT –to-destination 192.168.2.101:22
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
