[系统管理]
iptables本地端口转发+对指定IP开放指定端口
【问题描述】
一台web server,http端口80,现要求将从80端口进来的数据都转发到本机9000端口,但是9000不能对外开放,因为我不是很懂web/linux这块的东西,我理解的对外开放就是IP:9000能打开网页就算是对外开放了。
找了好几天关于iptables的资料,还是没太懂怎么配置。刚看到有个跟我情况类似的帖子:iptables本地端口转发问题,请教解决方案----http://bbs.chinaunix.net/thread-4175607-1-1.html
照的里面答案写了一下配置:
iptables -t mangle -I PREROUTING -p tcp --dport 9000 -j DROP
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 9000
测试下来的情况是网页能通过80端口正常打开、IP:9000无法打开网页,但是我还想指定特定IP能访问web server上的9000端口,就是说IP:9000对特定IP有效。各位大神,诚心请教,拜谢!!
目前的配置是这样:
[root@i:/etc]#service iptables status
Table: mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9010
2 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9000
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 9000
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination