【已解決】關(guān)于Centos下KVM iptables端口轉(zhuǎn)發(fā)的問(wèn)題

xqcool8

現(xiàn)在我配了這3條命令，但是還是不通，就是訪問(wèn)外網(wǎng)IP的8000端口，轉(zhuǎn)向虛擬機(jī)的22端口

iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
iptables -t nat -A PREROUTING -d 122.112.5.63 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.122.100:22
iptables -t nat -A POSTROUTING -s 192.168.122.0/255.255.255.0 -d 192.168.122.100 -p tcp -m tcp --dport 22 -j SNAT --to-source 192.168.122.1

xqcool8

回復(fù) 10# chenyx


轉(zhuǎn)發(fā)是已經(jīng)打開(kāi)了

vi /etc/sysctl.conf
net.ipv4.ip_forward=1
   

xqcool8

我發(fā)現(xiàn)我的命令怎么加不到 /etc/sysconfig/iptables 文件里呢，加完后保存退出，在進(jìn)去怎么就沒(méi)了呢

xqcool8

只要我一重啟 service iptables restart  配置文件就變回去了

xqcool8

現(xiàn)在保存了，還是不通，我貼一下，物理機(jī)上的/etc/sysconfig/iptables的配置信息，紅色的是后加上的
# Generated by iptables-save v1.4.7 on Thu Aug  7 23:46:55 2014
*nat
REROUTING ACCEPT [1:72]
OSTROUTING ACCEPT [6:478]
:OUTPUT ACCEPT [7:538]
-A PREROUTING -d 122.112.5.63/32 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.122.100:22
-A POSTROUTING -s 192.168.122.0/24 -d 192.168.122.100/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 192.168.122.1
# Generated by iptables-save v1.4.7 on Thu Aug  7 23:46:55 2014
*nat
REROUTING ACCEPT [1:72]
OSTROUTING ACCEPT [6:478]
:OUTPUT ACCEPT [7:538]
-A PREROUTING -d 122.112.4.136/32 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.122.100:22
-A POSTROUTING -s 192.168.122.0/24 -d 192.168.122.100/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 192.168.122.1
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Thu Aug  7 23:46:55 2014
# Generated by iptables-save v1.4.7 on Thu Aug  7 23:46:55 2014
*mangle
REROUTING ACCEPT [288:23301]
:INPUT ACCEPT [283:22990]
:FORWARD ACCEPT [5:311]
:OUTPUT ACCEPT [222:27079]
OSTROUTING ACCEPT [224:27246]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Thu Aug  7 23:46:55 2014
# Generated by iptables-save v1.4.7 on Thu Aug  7 23:46:55 2014
*filter
:INPUT ACCEPT [283:22990]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [222:27079]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 161 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Aug  7 23:46:55 2014

xqcool8

還是不通啊

xqcool8

終于搞定了，最后就多了這2條命令


iptables -t nat -A PREROUTING -i eth+ -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.122.100:22

iptables -A FORWARD -d 192.168.122.100/32 -i eth+ -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

chenyx

解決了就好。
主要是Forward鏈沒(méi)有訪問(wèn)相應(yīng)端口的規(guī)則

niao5929

咋解決的哦。求解決方案