fedora2下用iptables不能代理。

由 黄毛鸡 在 08-11-2004 12:58 发表:

fedora2下用iptables不能代理。

网络环境为:主机为fedora2,双网卡,eth1为外网卡接ADSL modem,IP地址固定设置为10.0.0.1,网关10.0.0.2,eth0为内网卡,单独通过交叉网线联接一台XP系统笔记本,IP地址固定设置为192.168.0.1,网关无,笔记本电脑设置为192.168.0.2,笔记本与主机已经能互相ping通,在坛子找了些帖子依葫芦画瓢,使用iptables作个代理让笔记本上网,但没能成功,以下是/etc/rc.d/rc.local文件内容,望高手指点密津,谢谢!

#!/bin/sh

This script will be executed after all the other init scripts.

You can put your own initialization stuff in here if you don't

want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

#加载iptables的相关模块:

modprobe ip_tables

modprobe ip_nat_ftp

modprobe ip_conntrack

modprobe ip_conntrack_ftp

#把80端口的包全部转向3128端口

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

#ip转向,192.168.0.0/24为内网网段

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to 10.0.0.1

C3 1G+HY512SDRAM+酷鱼四40G+酷鱼120G+技嘉815EP+创新128V+GF2MX400+RTl8139×2+明基52×CD-ROM+三星48×COMBO。

OS: Windows2000 advanced server+WinXP+Windows2003+Fedora Core2

由 smile787 在 08-11-2004 17:07 发表:

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to 10.0.0.1

中的10.0.0.1设置为linux主机的ip

由 黄毛鸡 在 08-11-2004 21:49 发表:

不好意思版主,还是不行。

> quote: > > * * * > > 最初由 smile787 发表
>
> **iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to 10.0.0.1
>
>
>
> 中的10.0.0.1设置为linux主机的ip ** > > * * *

根据你的提示,我将rc.local文件的内容更改为如下:

#!/bin/sh

This script will be executed after all the other init scripts.

You can put your own initialization stuff in here if you don't

want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

#加载iptables的相关模块:

modprobe ip_tables

modprobe ip_nat_ftp

modprobe ip_conntrack

modprobe ip_conntrack_ftp

#把80端口的包全部转向3128端口

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

#ip转向,192.168.11.0/24为内网网段

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j SNAT --to 192.168.0.1

结果还是不行,以下是运行ifconfig后的结果:

[root@yoaa root]# ifconfig

eth0 Link encap:Ethernet HWaddr 00:00:E8:14:2A:9E

inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0

inet6 addr: fe80::200:e8ff:fe14:2a9e/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:367 errors:0 dropped:0 overruns:0 frame:0

TX packets:9 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:28929 (28.2 Kb) TX bytes:546 (546.0 b)

Interrupt:10 Base address:0x1000

eth1 Link encap:Ethernet HWaddr 00:00:E8:22:27:2B

inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0

inet6 addr: fe80::200:e8ff:fe22:272b/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:287 errors:0 dropped:0 overruns:0 frame:0

TX packets:348 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:83644 (81.6 Kb) TX bytes:65744 (64.2 Kb)

Interrupt:11 Base address:0xe000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:2130 errors:0 dropped:0 overruns:0 frame:0

TX packets:2130 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:2206402 (2.1 Mb) TX bytes:2206402 (2.1 Mb)

[root@yoaa root]#

望版主继续指导,谢谢!

C3 1G+HY512SDRAM+酷鱼四40G+酷鱼120G+技嘉815EP+创新128V+GF2MX400+RTl8139×2+明基52×CD-ROM+三星48×COMBO。

OS: Windows2000 advanced server+WinXP+Windows2003+Fedora Core2

由 smile787 在 08-11-2004 23:28 发表:

echo 1 > /proc/sys/net/ipv4/ip_forward

上面这个想你应该做了吧?

linux那台主机自己可以上网吧?

如果还是不行,贴一下你防火墙的设置

由 黄毛鸡 在 08-12-2004 20:20 发表:

版主go on

linux主机单机是可以上网的,将

echo 1 > /proc/sys/net/ipv4/ip_forward

加入也不行,还尝试过在终端运行没每句语句,也不行。

我该如何贴出防火墙的配置呢?用什么命令?

C3 1G+HY512SDRAM+酷鱼四40G+酷鱼120G+技嘉815EP+创新128V+GF2MX400+RTl8139×2+明基52×CD-ROM+三星48×COMBO。

OS: Windows2000 advanced server+WinXP+Windows2003+Fedora Core2

由 Jackosn.K 在 08-13-2004 01:09 发表:

iptables-save > /home/USER/firewall

由 黄毛鸡 在 08-13-2004 11:05 发表:

多谢Jackosn.K兄,内容如下:

Generated by iptables-save v1.2.9 on Fri Aug 13 11:07:18 2004

*nat

:PREROUTING ACCEPT [0:0]

:POSTROUTING ACCEPT [56:3360]

:OUTPUT ACCEPT [56:3360]

-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth1 -j SNAT --to-source 192.168.0.1

COMMIT

Completed on Fri Aug 13 11:07:18 2004

Generated by iptables-save v1.2.9 on Fri Aug 13 11:07:18 2004

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1548:1313950]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT

-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT

-A RH-Firewall-1-INPUT -p esp -j ACCEPT

-A RH-Firewall-1-INPUT -p ah -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

-A RH-Fir

Published At
Categories with 服务器类
Tagged with
comments powered by Disqus