iptables, 포트포워딩, MASQUERADE 문의 드립니다. 꼭.... 답변좀 부탁드려요
작성자 정보
- 아레스 작성
- 작성일
컨텐츠 정보
- 2,563 조회
- 0 추천
- 목록
본문
아무리 보고 또보고 해도 답이 없는듯합니다...
masquerade 를 사용하여 iptables 와 포트포워딩에 대해 안되는것이 너무 많아 질문들입니다.
현재 저희 회사에서는 150대 가량의 PC를 사용하고 있습니다.
회사의 네트워크 구성은
l
l
l
전용선 l
ㅡㅡㅡㅡㅡㅡㅡㅡㅡ
ㅣ ㅣ
ㅣ ㅣ
ㅣ 내부스위치 ㅣ
ㅣ ㅣ
ㅣIP 61.XX.XX.1~10ㅣ
ㅡㅡㅡㅡㅡㅡㅡㅡㅡ
l
l
l
l
ㅡㅡㅡㅡㅡㅡㅡㅡㅡ
ㅣeth0 61.xx.xx.4 ㅣ
ㅣ ㅣ
ㅣ MASQUERADEㅣ
ㅣ ㅣ
ㅣeth1 192.168.0.1ㅣ
ㅡㅡㅡㅡㅡㅡㅡㅡㅡ
l
l
lㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ
l ㅣ l
ㅡㅡㅡㅡㅡㅡㅡㅡㅡ ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ
ㅣ ㅣ l ㅣ :
ㅣ ㅣ l ㅣ :
ㅣ 내부스위치 ㅣ ㅣ 내부스위치 ㅣ :
ㅣ ㅣ ㅣ ㅣ :
ㅣ ㅣ ㅣ ㅣ :
ㅡㅡㅡㅡㅡㅡㅡㅡㅡ ㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡㅡ
192.168.0.X 192.168.10.X
192.168.1.X 192.168.11.X
192.168.X.X 192.168.12.X
: :
: :
: :
: :
: :
이하는 클라이언트입니다.
현재 설정되어 있는 iptables 입니다.
*nat
:POSTROUTING ACCEPT
-A POSTROUTING -o eth0 -j SNAT --to 61.XX.XX.4
:PREROUTING ACCEPT
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 9833 -j DNAT --to 192.168.0.200:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 9834 -j DNAT --to 192.168.0.203:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 9835 -j DNAT --to 192.168.0.30:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 53389 -j DNAT --to 192.168.0.245:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 53388 -j DNAT --to 192.168.0.254:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65535 -j DNAT --to 192.168.5.101:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65534 -j DNAT --to 192.168.5.102:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65533 -j DNAT --to 192.168.5.105:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65532 -j DNAT --to 192.168.7.101:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65531 -j DNAT --to 192.168.7.112:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65530 -j DNAT --to 192.168.1.101:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65529 -j DNAT --to 192.168.1.109:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65528 -j DNAT --to 192.168.1.111:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65527 -j DNAT --to 192.168.1.107:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65526 -j DNAT --to 192.168.1.119:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65525 -j DNAT --to 192.168.8.102:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65524 -j DNAT --to 192.168.7.109:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65519 -j DNAT --to 192.168.1.117:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65523 -j DNAT --to 192.168.1.115:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65521 -j DNAT --to 192.168.6.106:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65518 -j DNAT --to 192.168.8.106:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65520 -j DNAT --to 192.168.5.106:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65517 -j DNAT --to 192.168.8.115:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65516 -j DNAT --to 192.168.11.104:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65515 -j DNAT --to 192.168.8.101:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65514 -j DNAT --to 192.168.8.104:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65513 -j DNAT --to 192.168.11.103:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65510 -j DNAT --to 192.168.7.115:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65509 -j DNAT --to 192.168.1.113:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65508 -j DNAT --to 192.168.1.103:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65507 -j DNAT --to 192.168.8.116:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65506 -j DNAT --to 192.168.8.108:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65505 -j DNAT --to 192.168.8.112:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65503 -j DNAT --to 192.168.1.123:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65502 -j DNAT --to 192.168.6.114:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65501 -j DNAT --to 192.168.11.107:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65499 -j DNAT --to 192.168.0.238:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65498 -j DNAT --to 192.168.6.110:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65497 -j DNAT --to 192.168.5.108:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65496 -j DNAT --to 192.168.6.112:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65495 -j DNAT --to 192.168.5.105:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65494 -j DNAT --to 192.168.5.104:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65493 -j DNAT --to 192.168.5.108:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65492 -j DNAT --to 192.168.9.109:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65491 -j DNAT --to 192.168.1.121:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65490 -j DNAT --to 192.168.9.104:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65489 -j DNAT --to 192.168.8.120:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65488 -j DNAT --to 192.168.8.118:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65487 -j DNAT --to 192.168.5.110:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65486 -j DNAT --to 192.168.1.125:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65485 -j DNAT --to 192.168.8.128:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65484 -j DNAT --to 192.168.12.12:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65483 -j DNAT --to 192.168.0.109:3389
-A PREROUTING -p tcp -i eth0 -d 61.XX.XX.4 --dport 65480 -j DNAT --to 192.168.0.240:3389
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -i eth0 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -o eth0 -j ACCEPT
-A FORWARD -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -p tcp -d 192.168.0.109 --dport 65483 -m state --state NEW -j ACCEPT
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
아래는 NAT 정책입니다.
iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:9833 to:192.168.0.200:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:9834 to:192.168.0.203:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:9835 to:192.168.0.30:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:53389 to:192.168.0.245:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:53388 to:192.168.0.254:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65535 to:192.168.5.101:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65534 to:192.168.5.102:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65533 to:192.168.5.105:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65532 to:192.168.7.101:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65531 to:192.168.7.112:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65530 to:192.168.1.101:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65529 to:192.168.1.109:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65528 to:192.168.1.111:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65527 to:192.168.1.107:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65526 to:192.168.1.119:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65525 to:192.168.8.102:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65524 to:192.168.7.109:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65519 to:192.168.1.117:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65523 to:192.168.1.115:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65521 to:192.168.6.106:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65518 to:192.168.8.106:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65520 to:192.168.5.106:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65517 to:192.168.8.115:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65516 to:192.168.11.104:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65515 to:192.168.8.101:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65514 to:192.168.8.104:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65513 to:192.168.11.103:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65510 to:192.168.7.115:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65509 to:192.168.1.113:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65508 to:192.168.1.103:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65507 to:192.168.8.116:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65506 to:192.168.8.108:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65505 to:192.168.8.112:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65503 to:192.168.1.123:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65502 to:192.168.6.114:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65501 to:192.168.11.107:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65499 to:192.168.0.238:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65498 to:192.168.6.110:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65497 to:192.168.5.108:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65496 to:192.168.6.112:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65495 to:192.168.5.105:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65494 to:192.168.5.104:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65493 to:192.168.5.108:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65492 to:192.168.9.109:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65491 to:192.168.1.121:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65490 to:192.168.9.104:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65489 to:192.168.8.120:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65488 to:192.168.8.118:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65487 to:192.168.5.110:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65486 to:192.168.1.125:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65485 to:192.168.8.128:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65484 to:192.168.12.12:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65483 to:192.168.0.109:3389
DNAT tcp -- anywhere 61.XX.XX.4 tcp dpt:65480 to:192.168.0.240:3389
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
SNAT all -- anywhere anywhere to:61.XX.XX.4
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@share ~]#
문의사항 3가지가 있습니다.
1. 포트포워딩에 한계가 있나요??
회사에 원격으로 접속해야 하는 인원이 좀 많습니다. 그래서 포트포워딩을 잘 하고있었는데 어느순간 부터
추가가 되질 않습니다. iptables -L -t nat 로 보면 등록이 되어있는데 telnet으로 포트연결도 안되고
원격도 되질 않습니다. 어느부분이 잘못된걸까요?? 현재는 되던거는 되는데 추가하면 되는건 되고 추가한건 안되고 있습니다. 노란색 줄 이하로는 외부에서 내부로 원격접속이 안되고 있고, 위로는 잘 되고 있습니다.
2. 내부에서의 원격연결은 잘 접속이 됩니다. 예) 192.168.0.109 => 192.168.8.108 이런식으로 RDP연결시 잘 접속이 되고있습니다.
다만 내부에서 192.168.0.109 클라에서 192.168.8.108의 포트포워딩으로 접속시 접속이 안되고있습니다.
예) 192.168.0.109 => 61.xx.xx.4:65506 이런식으로는 접속이 안되고 있습니다.
3. 저희 회사에서는 포트포워딩을 좀 많이 사용하고있습니다. 하여 만약 3317의 포트를 포워딩하여 사용을 하면 외부로 나가야
하는 다른 프로그램의 3317포트를 사용할 수가 없습니다.
예) --to 192.168.0.20:3317 이렇게 정책이 되어있다면, 61.xx.xx.8:3317 이렇게를 못가고 있습니다 분명 아이피도 다른데 말이죠..
전 올해 완전 신입으로 들어가 배우고 있습니다.
현재 인터넷만 겨우 공유 하여 사용하고있습니다. 부디 자비를 베풀어 iptables 설정이나
예를 들어 주시면 감사드리겠습니다. 꼭 부탁드리겠습니다. 새해복 많이 받으세요(--)(__)
관련자료
-
이전
-
다음
