关于iptables的DNAT的“Destination Host Unreachable”问题

weixin_38053515 2008-10-20 06:51:49

各位帮我看看，先谢谢了。

iptables的rule如下：（其实非常简单就起了个SNAT和DNAT）
[root@black ~]# cat iptables-nat-only
#!/bin/sh

###########DEFINE###################
LAN_INT="eth0"
WAN_INT="eth1"

##########REFLASH###################
/sbin/iptables -F
/sbin/iptables -t nat -F

##########DEFAULT POLICY###########
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

###########################Open ip_forward ###################
echo "1" >/proc/sys/net/ipv4/ip_forward

#####################localhost Policy########################
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

##########NAT CHAIN###############
/sbin/iptables -t nat -A POSTROUTING -s 10.4.0.0/16 -o $WAN_INT -j MASQUERADE
/sbin/iptables -t nat -A PREROUTING -d 124.126.86.139 -s ! 10.4.3.150 -i $WAN_INT -j DNAT --to 10.4.3.150
/sbin/iptables -t nat -A PREROUTING -d 124.126.86.138 -s ! 10.4.3.119 -i $WAN_INT -j DNAT --to 10.4.3.119

结果是：
[root@black ~]# ping 124.126.86.138
PING 124.126.86.138 (124.126.86.13 56(84) bytes of data.
From 124.126.86.137 icmp_seq=1 Destination Host Unreachable
From 124.126.86.137 icmp_seq=2 Destination Host Unreachable
From 124.126.86.137 icmp_seq=3 Destination Host Unreachable
From 124.126.86.137 icmp_seq=5 Destination Host Unreachable
From 124.126.86.137 icmp_seq=6 Destination Host Unreachable

网络配的也正常。
[root@black ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@black ~]# /sbin/ifconfig -a
eth0    Link encap:Ethernet  HWaddr 00:E0:4C:85B5
      inet addr:10.4.1.198  Bcast:10.4.255.255  Mask:255.255.0.0
      inet6 addr: fe80::2e0:4cff:fe85:dbd5/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:388928 errors:0 dropped:0 overruns:0 frame:0
      TX packets:283499 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:360801180 (344.0 MiB)  TX bytes:70902224 (67.6 MiB)
      Interrupt:9 Base address:0xdc00

eth1    Link encap:Ethernet  HWaddr 00:50:BA:CE:CD:17
      inet addr:124.126.86.137  Bcast:124.126.87.255  Mask:255.255.248.0
      inet6 addr: fe80::250:baff:fece:cd17/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:278040 errors:0 dropped:0 overruns:0 frame:0
      TX packets:327738 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:64348624 (61.3 MiB)  TX bytes:355518009 (339.0 Mi
[root@black ~]# netstat -nr
Kernel IP routing table
Destination    Gateway       Genmask       Flags MSS Window  irtt Iface
124.126.80.0 0.0.0.0       255.255.248.0 U       0 0       0 eth1
10.4.0.0       0.0.0.0       255.255.0.0    U       0 0       0 eth0
169.254.0.0    0.0.0.0       255.255.0.0    U       0 0       0 eth1
0.0.0.0       124.126.80.1 0.0.0.0       UG       0 0       0 eth1

在另一端内网的WWW server 10.4.3.150
[root@ntracker ~]# ifconfig -a
eth0    Link encap:Ethernet  HWaddr 00:11:25:57:05:E7
      inet addr:10.4.3.150  Bcast:10.4.255.255  Mask:255.255.0.0
      inet6 addr: fe80::211:25ff:fe57:5e7/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:169483 errors:0 dropped:0 overruns:0 frame:0
      TX packets:156909 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100
      RX bytes:58954478 (56.2 MiB)  TX bytes:96535321 (92.0 MiB)
      Base address:0x2000 Memory:d0120000-d0140000

10.4.3.150的缺省网关指向防火墙10.4.1.198
[root@ntracker ~]# netstat -nr
Kernel IP routing table
Destination    Gateway       Genmask       Flags MSS Window  irtt Iface
192.168.10.0 0.0.0.0       255.255.255.0 U       0 0       0 eth0
10.4.0.0       0.0.0.0       255.255.0.0    U       0 0       0 eth0
169.254.0.0    0.0.0.0       255.255.0.0    U       0 0       0 eth0
0.0.0.0       10.4.1.198    0.0.0.0       UG       0 0       0 eth0

这是怎么回事，寻求帮助！

...全文