Re: 求救 RHEL5.1 AS 之 PREROUTING 遇到困難.

看板Linux作者Jacky.時間17年前 (2008/07/31 12:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串3/8 (看更多)

On 29 Jul 2008 08:38:05 GMT, kenduest.bbs@bbs.sayya.org (小州) wrote: >※ 引述《Jacky@bcc.com (世界是平的)》之銘言： >> 相同的 rule 於RHEL3 運作正常,但是搬到RHEL 5.1後就Fail, >> 以下是測試的資料 > > post "iptables-save" command output > >-- >-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- > > 現代人普遍的現象: 「小學而大遺」、「捨本而逐末」 > 「以偏而概全」、「因噎而廢食」 >-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 感謝回覆不過仍然失敗...... 執行iptables-save [root@eip ~]# iptables-save # Generated by iptables-save v1.3.5 on Thu Jul 31 19:29:37 2008 *nat :PREROUTING ACCEPT [46413:6862988] :POSTROUTING ACCEPT [5284:754821] :OUTPUT ACCEPT [3688:516317] -A PREROUTING -d 61.250.251.165 -p tcp -m tcp --dport 3392 -j DNAT --to-destination 192.168.147.9:3389 -A PREROUTING -d 61.250.251.165 -p tcp -m tcp --dport 3900 -j DNAT --to-destination 192.168.147.11:3389 -A POSTROUTING -p tcp -m tcp --dport 5190 -j DROP -A POSTROUTING -d 64.12.162.57 -p tcp -j DROP -A POSTROUTING -d 205.188.179.233 -p tcp -j DROP ...... ...... ......略 -A INPUT -i eth1 -p tcp -m tcp --dport 3900 -j ACCEPT -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth1 -m state --state INVALID,NEW -j DROP -A INPUT -i eth1 -j DROP -A icmpfilter -i eth1 -p icmp -m icmp --icmp-type 18 -j ACCEPT ...... ...... ......略 COMMIT # Completed on Thu Jul 31 19:29:37 2008 執行tcpdump 仍然失敗 [root@eip ~]# tcpdump -i eth1 -nn port 3900 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 19:29:47.270324 IP 60.251.221.178.2350 > 61.250.251.165.3900: S 1053296189:1053296189(0) win 65535 <mss 1460,nop,nop,sackOK> 19:29:50.265909 IP 60.251.221.178.2350 > 61.250.251.165.3900: S 1053296189:1053296189(0) win 65535 <mss 1460,nop,nop,sackOK> 19:29:56.298861 IP 60.251.221.178.2350 > 61.250.251.165.3900: S 1053296189:1053296189(0) win 65535 <mss 1460,nop,nop,sackOK> [3]+ Stopped tcpdump -i eth1 -nn port 3900 重新啟動iptables [root@eip ~]# service iptables restart 正在清除防火牆規則: [ 確定 ] 正在設定 chains 為 ACCEPT 政策: nat filter [ 確定 ] 正在卸載 iptables 模組: [ 確定 ] 執行tcpdump 狀況不太一樣.... 但還是失敗 [root@eip ~]# tcpdump -i eth1 -nn port 3900 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 19:30:28.102830 IP 60.251.221.178.2352 > 61.250.251.165.3900: S 1644470685:1644470685(0) win 65535 <mss 1460,nop,nop,sackOK> 19:30:28.102890 IP 61.250.251.165.3900 > 60.251.221.178.2352: R 0:0(0) ack 1644470686 win 0 19:30:28.735750 IP 60.251.221.178.2352 > 61.250.251.165.3900: S 1644470685:1644470685(0) win 65535 <mss 1460,nop,nop,sackOK> 19:30:28.735787 IP 61.250.251.165.3900 > 60.251.221.178.2352: R 0:0(0) ack 1 win 0 19:30:29.370788 IP 60.251.221.178.2352 > 61.250.251.165.3900: S 1644470685:1644470685(0) win 65535 <mss 1460,nop,nop,sackOK> 19:30:29.370827 IP 61.250.251.165.3900 > 60.251.221.178.2352: R 0:0(0) ack 1 win 0 RHEK5.1 有一個視窗版的iptables防火牆, 它與 iptables script 的優先順序如何? 打開它或關閉它都不對.... 請問還有那裡沒注意到? 多謝

‣ 返回看板[ Linux ] 系統

‣ 更多 Jacky. 的文章

文章代碼(AID): #18aJZ_00 (Linux)