iptables的端口映射问题

jxgzoyke · 发表于 2005-11-11 11:45:17

我的网络环境是FC3(192.168.1.254)作网关ADSL拨号代理其他机子上网,
192.168.1.200上有一个WEB服务,在内部网通过IP是可以访问的,但是在iptables
中作了端口射后外部网还是无法访问
iptables中的配置是这样的:
# Generated by iptables-save v1.2.11 on Tue Sep 20 18:39:12 2005
*nat

REROUTING ACCEPT [85543:6482486]

OSTROUTING ACCEPT [898:99384]
:OUTPUT ACCEPT [894:99192]
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 1503 -j DNAT --to-destination 192.168.1.13:1503
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 5631:5632 -j DNAT --to-destination 192.168.1.201:5631-5632
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.1.230:8080
-A PREROUTING -i ppp0 -p udp --dport 9001 -j DNAT --to-destination 192.168.1.230:9001
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.200:80
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Tue Sep 20 18:39:12 2005
# Generated by iptables-save v1.2.11 on Tue Sep 20 18:39:12 2005
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [4794568:3762230890]
:OUTPUT ACCEPT [2045320:2796668737]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p ipv6-crypt -j ACCEPT
-A INPUT -p ipv6-auth -j ACCEPT
-A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m udp --dport 631 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21:23 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 50000:60000 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5631:5632 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 137:139 -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --dports 111,2049 -j ACCEPT
-A INPUT -i eth0 -p udp -m multiport --dports 111,2049 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 53,25,110,80,1503,3128 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p udp -m state --state NEW --dport 9001 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -s 192.168.1.200 -m mac --mac-source 00:50:FC:62:4F:44 -j ACCEPT
-A FORWARD -m mac --mac-source 00:40:F4:6F:8C:CB -j ACCEPT
-A FORWARD -s 192.168.1.203 -m mac --mac-source 00:00:21:F8:B5:AF -j ACCEPT
-A FORWARD -m mac --mac-source 00:E0:4C:69:BC:FA -j ACCEPT
-A FORWARD -m mac --mac-source 00:0E:A6:71:7C:8E -j ACCEPT
-A FORWARD -m mac --mac-source 00:11:2F:49

2:09 -j ACCEPT
-A FORWARD -m mac --mac-source 00:E0:4C:4F:2B:50 -j ACCEPT
-A FORWARD -m mac --mac-source 00:0C:6E:AC:32:58 -j ACCEPT
-A FORWARD -m mac --mac-source 00:11

8

0:00:91 -j ACCEPT
-A FORWARD -m mac --mac-source 00:E0:5E:39:00:9F -j ACCEPT
-A FORWARD -m mac --mac-source 00:06:4F:02:C0:3A -j ACCEPT
-A FORWARD -m mac --mac-source 00:11

8:C0:3F:60 -j ACCEPT
-A FORWARD -m mac --mac-source 00:11

8:96:37:69 -j ACCEPT
-A FORWARD -m mac --mac-source 00:0E:1F:50:0C:5F -j ACCEPT
-A FORWARD -s 192.168.1.230 -j ACCEPT
-A FORWARD -p tcp -m mac --mac-source 00:0C:6E:95:23:73 -m multiport --dports 25,110 -j ACCEPT
-A FORWARD -p tcp -m mac --mac-source 00:07:40:09:83:b9 -m multiport --dports 25,110 -j ACCEPT
-A FORWARD -s 192.168.1.206 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -j DROP
COMMIT
# Completed on Tue Sep 20 18:39:12 2005

jxgzoyke · 发表于 2005-11-11 23:07:37

自己顶下,
没人知道吗?

		自动登录	找回密码
密码			注册