echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o em2 -j MASQUERADE
端口映射
#10.160.1.101:80 -> 173.45.xx.xx:8000
#10.160.1.102:80 -> 173.45.xx.xx:8001
-A PREROUTING -p tcp -m tcp --dport 8000 -j DNAT --to-destination 10.160.1.101:80
-A PREROUTING -p tcp -m tcp --dport 8001 -j DNAT --to-destination 10.160.1.102:80
-A POSTROUTING -d 10.160.1.101/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 173.45.xx.xx
-A POSTROUTING -d 10.160.1.102/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 173.45.xx.xx
-A POSTROUTING -s 10.160.1.0/24 -o em2 -j MASQUERADE
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [36:2960]
:OUTPUT ACCEPT [43:3474]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m limit --limit 1/s -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 29922 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5669 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -j ACCEPT
-A INPUT -s 10.150.1.0/24 -p tcp -j ACCEPT
-A INPUT -s 69.169.34.0/24 -p tcp -j ACCEPT
-A INPUT -s 10.150.1.0/24 -p udp -j ACCEPT
-A INPUT -s 69.169.34.0/24 -p udp -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [36:3012]
:POSTROUTING ACCEPT [15:902]
:OUTPUT ACCEPT [14:862]
-A PREROUTING -p tcp -m tcp --dport 8002 -j DNAT --to-destination 10.150.1.103:80
-A POSTROUTING -d 10.150.1.103/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 69.169.34.xx
-A POSTROUTING -s 10.150.1.0/24 -o em2 -j SNAT --to-source 69.169.34.xx
COMMIT
ip双向映射
iptables -t nat -A PREROUTING -d 69.xxx.34.117 -j DNAT --to 10.150.1.91
iptables -t nat -A POSTROUTING -s 10.150.1.91 -j SNAT --to 69.xxx.34.117
iptables -t nat -A PREROUTING -d 69.xxx.34.118 -j DNAT --to 10.150.1.92
iptables -t nat -A POSTROUTING -s 10.150.1.92 -j SNAT --to 69.xxx.34.118
iptables -t nat -A PREROUTING -d 69.xxx.34.119 -j DNAT --to 10.150.1.93
iptables -t nat -A POSTROUTING -s 10.150.1.93 -j SNAT --to 69.xxx.34.119
