[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-users:30093] port forwarding between port 80



鎌ヶ迫ã¨ç”³ã—ã¾ã™ã€‚

iptablesã®ãƒãƒ¼ãƒˆãƒ•ã‚©ãƒ¯ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°(DNAT)を利用ã—ã¦ã€
LAN内ã®httpdサーãƒã‚’公開ã—よã†ã¨ã—ã¦ã„ã¾ã™ã€‚


ADSL        router                              httpd
modem     +--------+          +-----+         +--------+
   -------+ Debian +----------+ HUB +-ー------+ Debian |
     ppp0 +--------+ eth1     +-----+    eth0 +--------+
    a.b.c.d       192.168.1.10        192.168.1.1


ã“ã®ä¸€é€±é–“ã€JFã®inux 2.4 Packet Filtering HOWTOã‚„Linux 2.4
NAT HOWTOã‚’å‚考ã«ã—ã¦ã€ãƒ«ãƒ¼ã‚¿ã®ppp0ã«å¯¾ã™ã‚‹80番ãƒãƒ¼ãƒˆã¸ã®
アクセスをLAN内ã®ã‚µãƒ¼ãƒã¸ãƒãƒ¼ãƒˆãƒ•ã‚©ãƒ¯ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ã•ã›ã‚‹ãŸã‚ã«ã€
iptablesã§ä»¥ä¸‹ã®ã‚ˆã†ãªè¨­å®šã‚’è¡Œã„ã¾ã—ãŸã€‚

# flush
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

# ip masquerade
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# port forwarding
iptables -t nat -A PREROUTING -p tcp --dport 80 -i ppp0 \
         -j DNAT --to-destination 192.168.1.1:80
iptables -A FORWARD -p tcp --dport 80 -i ppp0 -j ACCEPT

# new chain
iptables -N block
iptables -A block -m state --state ESTABLISHED -j ACCEPT
iptables -A block -m state --state RELATED -j ACCEPT
iptables -A block -i ! ppp0 -m state --state NEW -j ACCEPT
iptables -A block -j DROP

# apply chain
iptables -A INPUT -j block
iptables -A FORWARD -j block

# misc
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f;
done


両マシン間ã§pingã¯é€šã‚Šã¾ã™ã—ã€IP Masqueradeも正常ã«å‹•ä½œã—ã¾ã™ã€‚
ã—ã‹ã—ã€å¤–部ã‹ã‚‰ã®80番ãƒãƒ¼ãƒˆã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã¯ã—ã°ã‚‰ã経ã£ãŸå¾Œã«
タイムアウト表示ãŒã•ã‚Œã‚‹ã®ã§ã€ã©ã†ã‚„ら廃棄ã•ã‚Œã¦ã„るよã†ã§ã™ã€‚

$ telnet a.b.c.d 80
Trying a.b.c.d...
telnet: Unable to connect to remote host: Connection timed out


上記設定を22番ãƒãƒ¼ãƒˆã‹ã‚‰25番ãƒãƒ¼ãƒˆã¸è»¢é€ã™ã‚‹ã‚ˆã†ã«å¤‰æ›´ã—

(çœç•¥)
iptables -t nat -A PREROUTING -p tcp --dport 22 -i ppp0 \
         -j DNAT --to-destination 192.168.1.1:25
iptables -A FORWARD -p tcp --dport 25 -i ppp0 -j ACCEPT
(çœç•¥)

外部ã‹ã‚‰ã‚¢ã‚¯ã‚»ã‚¹ã—ã¦ã¿ã‚‹ã¨

$ telnet a.b.c.d 22
Trying a.b.c.d...
Connected to router.localhost.localdomain.
Escape character is '^]'.
220 httpd.localhost.localdomain ESMTP Postfix

ã®ã‚ˆã†ã«æ­£ã—ã転é€ã•ã‚Œã¦ã„ã¾ã™ã€‚


ルータマシンã§ã¯22番ãƒãƒ¼ãƒˆã‚’利用ã™ã‚‹sshã¨25番ã®smtp(postfix)ãŒ
動作ã—ã¦ã„ã¾ã™ãŒã€80番ãƒãƒ¼ãƒˆã®apache(httpd)ã¯ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã™ã‚‰
ã•ã‚Œã¦ãŠã‚Šã¾ã›ã‚“。ã“ã®è¾ºã‚ŠãŒé–¢ä¿‚ã—ã¦ã„ã‚‹ã®ã§ã—ょã†ã‹?

ãã‚Œã¨ã‚‚å˜ç´”ã«iptablesã®è¨­å®šãƒŸã‚¹ãªã®ã§ã—ょã†ã‹?


Debianã«ç‰¹åŒ–ã—ãŸè©±é¡Œã§ã¯ãªã„ã‹ã‚‚知れã¾ã›ã‚“ãŒã€‚
解決ã®ãŸã‚ã®ãƒã‚¤ãƒ³ã‚¿ã ã‘ã§ã‚‚çµæ§‹ã§ã™ã®ã§
ã©ãªãŸã‹çŸ¥æµã‚’ãŠè²¸ã—下ã•ã„ã¾ã›ã€‚


ii  iptables       1.2.3-2        IP packet filter administration for 2.4.4+ k
ii  kernel-source- 2.4.10-1       Linux kernel source for version 2.4.10

-- 
KAMAGASAKO "SMILEY" Masatoshi :-)
Japan GNOME Users Group
emerald@xxxxxxxxxxx
mkama@xxxxxxxxxxxxxx