Linux BOXでインターネットに接続しているが、WWWサーバは別の仮想サーバで動いていてプライベートIP(192.168.0.100)しかもっていない。よってLinux BOX宛にきたHTTPのリクエストを仮想サーバへあて先NATして届けなくてはいけない。
あて先NATはルーティングの前に行われるので、-A PREROUTINGと付ける。また、あて先NATをした後の通信を許可するルールも必要。
[root@ml115 ~]#iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 80 -j DNAT --to-destination 192.168.0.100:80
[root@ml115 ~]#iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 443 -j DNAT --to-destination 192.168.0.100:443
[root@ml115 ~]#iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp -d 192.168.0.100 --dport 80 -j ACCEPT
[root@ml115 ~]#iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp -d 192.168.0.10 --dport 443 -j ACCEPT
[root@ml115 ~]#service iptables save
[root@ml115 ~]#iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 443 -j DNAT --to-destination 192.168.0.100:443
[root@ml115 ~]#iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp -d 192.168.0.100 --dport 80 -j ACCEPT
[root@ml115 ~]#iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp -d 192.168.0.10 --dport 443 -j ACCEPT
[root@ml115 ~]#service iptables save
いろいろ整理して結局出来上がったルールは以下のとおり。
[root@ml115 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Mon Oct 29 06:04:24 2007
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [791:91944]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp0 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp0 -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp0 -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 10022 -j ACCEPT
-A RH-Firewall-1-INPUT -d 192.168.0.100 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -d 192.168.0.100 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Oct 29 06:04:24 2007
# Generated by iptables-save v1.3.5 on Mon Oct 29 06:04:24 2007
*nat
:PREROUTING ACCEPT [574:187784]
:POSTROUTING ACCEPT [13:676]
:OUTPUT ACCEPT [2:171]
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.100:80
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.100:443
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 29 06:04:24 2007
[root@ml115 ~]#
# Generated by iptables-save v1.3.5 on Mon Oct 29 06:04:24 2007
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [791:91944]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp0 -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp0 -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp0 -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -i ppp0 -p tcp -m state --state NEW -m tcp --dport 10022 -j ACCEPT
-A RH-Firewall-1-INPUT -d 192.168.0.100 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -d 192.168.0.100 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Oct 29 06:04:24 2007
# Generated by iptables-save v1.3.5 on Mon Oct 29 06:04:24 2007
*nat
:PREROUTING ACCEPT [574:187784]
:POSTROUTING ACCEPT [13:676]
:OUTPUT ACCEPT [2:171]
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.100:80
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.0.100:443
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Mon Oct 29 06:04:24 2007
[root@ml115 ~]#
