我需要将端口8080重定向到Linux服务器上的端口80。我的问题与:https://askubuntu.com/a/579540
唯一的区别是我没有iptables-有没有办法使用防火墙?
编辑:现在我知道FireWalld使用iptables,并且命令可以通过以下方式传递给Iptables:
firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
我有:
- 在端口8080上运行的HTTP服务器
- 港口80在Firewalld(区域公共)重定向到8080
- 来自其他计算机的客户端通过端口80访问可以到达HTTP服务器
- 我可以从同一台计算机上访问端口8080上的服务器
我也想要:
- 从同一台计算机运行的同一计算机上访问端口80上的服务器
我尝试了:
- 将接口" lo"添加到区域" public"
- 以与区域"公共"相同的方式配置"信任"
区域" public"配置:
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="snmp"/>
<service name="http"/>
<service name="ssh"/>
<service name="https"/>
<icmp-block name="redirect"/>
<icmp-block name="router-solicitation"/>
<icmp-block name="parameter-problem"/>
<icmp-block name="router-advertisement"/>
<forward-port to-port="8080" protocol="tcp" port="80"/>
</zone>
错误:
#wget "192.168.100.42:80"
--2016-12-01 16:02:29-- http://192.168.100.42/
Connecting to 192.168.100.42:80... failed: Connection refused.
#wget "192.168.100.42:8080"
--2016-12-01 16:06:37-- http://192.168.100.42:8080/
Connecting to 192.168.100.42:8080... connected.
HTTP request sent, awaiting response... 302 Found
...
HTTP request sent, awaiting response... 302 Found
...
HTTP request sent, awaiting response... 302 Found
...
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
...
2016-12-01 16:06:37 (69.8 MB/s) - ‘index.html’ saved [4785]
#wget "localhost:80"
--2016-12-01 16:02:12-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|127.0.0.1|:80... failed: Connection refused.
Connecting to localhost (localhost)|::1|:80... failed: Network is unreachable.
#wget "localhost:8080"
--2016-12-01 16:06:29-- http://localhost:8080/
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|127.0.0.1|:8080... failed: Connection refused.
Connecting to localhost (localhost)|::1|:8080... failed: Network is unreachable.
编辑:解决方案:服务器根本没有在回环接口上收听。
服务器未在环回接口上收听。
拿走了防火墙。修改您的IPS本地网络和服务器:
在/etc/init.d/中创建一个iptables.sh,chmod x和run
# NOMENCLATURE
internet=eth0 # interface of internet source
lan=eth1 # interface of local network
local=192.168.1.0 # your local network
netmask=24 # netmask of your local network
iptables=/sbin/iptables
# Zero all packets and counters
$iptables -F
$iptables -X
$iptables -t nat -F
$iptables -t nat -X
$iptables -t mangle -F
$iptables -t mangle -X
$iptables -t raw -F
$iptables -t raw -X
$iptables -t security -F
$iptables -t security -X
$iptables -Z
$iptables -t nat -Z
$iptables -t mangle -Z
# Global Policies (DROP or ACCEPT)
$iptables -P INPUT ACCEPT
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD ACCEPT
$iptables -t nat -P PREROUTING ACCEPT
$iptables -t nat -P POSTROUTING ACCEPT
$iptables -t nat -P OUTPUT ACCEPT
$iptables -t mangle -P PREROUTING ACCEPT
$iptables -t mangle -P INPUT ACCEPT
$iptables -t mangle -P FORWARD ACCEPT
$iptables -t mangle -P OUTPUT ACCEPT
$iptables -t mangle -P POSTROUTING ACCEPT
# LOOPBACK
$iptables -A INPUT -p all -i lo -j ACCEPT
$iptables -A INPUT -s 192.168.1.10 -j ACCEPT
$iptables -A OUTPUT -p all -o lo -j ACCEPT
$iptables -A OUTPUT -p all -s 127.0.0.1 -j ACCEPT
$iptables -t mangle -A PREROUTING -p all -i lo -j ACCEPT
$iptables -t mangle -A PREROUTING -p all -s 127.0.0.1 -j ACCEPT
$iptables -t nat -A PREROUTING -p all -i lo -j ACCEPT
# IP forward rules
echo 1 > /proc/sys/net/ipv4/ip_forward
# MASQUERADE
$iptables -t nat -A POSTROUTING -s $local/$netmask -o $internet -j MASQUERADE
$iptables -A OUTPUT -p udp --dport 53 -j DROP
$iptables -A INPUT -p udp --sport 53 -j DROP
$iptables -A FORWARD -p udp --dport 53 -j DROP
# LAN ---> PROXY <--- INTERNET
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# TRANSPARENT RULES
$iptables -t nat -A PREROUTING -i $lan -p tcp --dport 80 -j REDIRECT --to-port 8080
$iptables -A INPUT -i $lan -p tcp --dport 8080 -j ACCEPT
$iptables -A FORWARD -i $lan -p tcp -m multiport --dports 80,8080,443 -o $internet -j ACCEPT