如何使用iptables创建和调试NAT规则?

我的问题涉及3个方面:

  • 位于路由器或防火墙后面的房屋中的代理
  • 云上的服务器(digitalocean上的VM)
  • 想要通过服务器连接到代理的客户端

The agent establish a VPN connection to the server via tun0, so from the server I can access the agent. My goal is to allow the client to access this agent from the internet. Note that for this example I am considering HTTP, but my final application is not HTTP so any reverse-proxy solution will not work here.

总而言之,我有这个:

 Any client            Somewhere              Somewhere
 connected to the      on the Internet        in a house, behind a router
 Internet                                     or a firewall
+------------+         +------------+         +-----------+
|            |         |            |         |           |
|            |         |            |         |           |
|  Client    +-------->+   Server   <---------+   Agent   |
|            |  HTTP   |            |  VPN    |           |
|            |         |            |  10.8.0.x           |
+------------+         +------------+         +-----------+

我想配置iptables以允许从客户端到代理的连接:

                                                             internet
                                                                ^
                                                                |
                   +----------------------------+        +----------------------------------+
                   |                            |        |      |                           |
                   | +---------+                |        | +----+-----+                     |
                   | | x.x.x.x |                |        | |          |                     |
                   | |         |                |        | |          |                     |
tcp:8888+------------>  eth0   |                |        | |   eth0   |                     |
                   | |         |                |        | |          |                     |
                   | |         |                |        | |          |                     |
                   | +----+----+                |        | +----------+                     |
                   |      |                     |        |                                  |
                   |      |         +---------+ |        | +----------+          +--------+ |
                   |      |         | 10.8.0.1| |        | | 10.8.0.42|          |        | |
                   |      |         |         | |        | |          |          |        | |
                   |      +--------->  tun0   <------------>  tun0    +----------> daemon | |
                   | x.x.x.x:8888   |         | |        | |          |          |        | |
                   |  -> 10.8.0.42: |         | |        | |          |          |        | |
                   |           8000 +---------+ |        | +----------+          +--------+ |
                   +----------------------------+        +----------------------------------+

所以这就是我所做的:

关于代理

I created a small test HTTP server on port 8000.

$ iptables -A OUTPUT -p tcp --dport 8000 -j ACCEPT
$ echo "Hello World" > index.html
$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

在服务器上(server.io)

我确认可以从服务器访问我的代理。然后,我添加了一些netfilter规则,以将代理的服务连接到Internet。

$ curl 10.8.0.42:8000
Hello World
$ iptables -A INPUT -p tcp --dport 8888 -j ACCEPT
$ iptables -A OUTPUT -p tcp -o tun0 --dport 8000 -j ACCEPT
$ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8888 -j DNAT --to 10.8.0.42:8000
$ iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 10.8.0.42 -j ACCEPT

在客户端上

最终,我尝试与客户联系。但似乎我缺少了一些东西...

$ curl server.io:8888
curl: (7) Failed to connect to server.io port 8888: Connection timed out
评论