debian做网关不通，各位诊断一下，有详细配置

kotter

网关:
iface eth0 inet static
address 207.192.*.*公网ip
netmask 255.255.255.0
gateway 207.192.*.*
iface eth1 inet static
address 192.168.133.1网关内网ip
netmask 255.255.128.0

echo 1 >/proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
result is 1
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.128.0/17 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.128.0/17 -j SNAT --to-source 207.192.*.*


网关防火墙的nat部分
iptables --list -t nat

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
nat_in 0 -- anywhere anywhere

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
nat_out 0 -- anywhere anywhere
eth0_masq 0 -- anywhere anywhere
SNAT 0 -- 192.168.128.0/17 anywhere to:207.192.*.*(外网 ip)
MASQUERADE 0 -- 192.168.128.0/17 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain eth0_masq (1 references)
target prot opt source destination
MASQUERADE 0 -- 192.168.128.0/17 anywhere policy match dir out pol none

Chain nat_in (1 references)
target prot opt source destination
DNAT 0 -- anywhere 207.192.*.*(外网 ip) policy match dir in pol none to:192.168.133.1

Chain nat_out (1 references)
target prot opt source destination
SNAT 0 -- 192.168.133.1 anywhere policy match dir out pol none to:207.192.*.*

内网机器:

iface eth0 inet static
address 192.168.133.100
netmask 255.255.128.0

route add -net 192.168.128.0/17 gw 192.168.133.1

内网路由表:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.128.0 * 255.255.128.0 U 0 0 0 eth0
default 192.168.133.1 0.0.0.0 UG 0 0 0 eth0

>>>>这样看内网机器的网关是对的

ping 网关 ok
ping 外网 不ok

memory

把下面这条去掉试一试：
Chain nat_in (1 references)
target prot opt source destination
DNAT 0 -- anywhere 207.192.*.*(外网 ip) policy match dir in pol none to:192.168.133.1

xw_xiao

楼主的iptables -t nat 的配置显然不仅是最开始那几条命令的结果，因此，建议先清除nat的配置后再重新配置看看。

另外，配置snat的那句，如果地址就是eth0的地址，那就重复了；如果不是eth0的地址，只会有配置在最前边的那条起作用（因为，后边那条永远也用不上。如果想共享多个IP地址，需要将所有地址写在同一个snat中）。