Firewalld:将端口 80 重定向到 8080 并使其在本地计算机上运行
Firewalld: Redirect port 80 to 8080 and make it work on local machine
我需要将端口 8080 重定向到我的 linux 服务器上的端口 80。
我的问题与以下相同:
https://askubuntu.com/a/579540
唯一的区别是我没有 iptables - 有没有办法用 firewalld 做到这一点?
编辑:现在我知道 firewalld 使用 iptables 并且命令可以通过 firewalld 传递给 iptables 使用:
firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
我有:
- HTTP 服务器 运行 端口 8080
- 端口 80 重定向到 firewalld 中的 8080(区域 public)
- 其他电脑通过80端口访问的客户端可以访问HTTP服务器
- 我可以从同一台电脑访问8080端口的服务器,这里的服务器是运行
我也想要:
- 正在从同一台电脑的80端口访问服务器,这里的服务器是运行
我试过了:
- 将接口 "lo" 添加到区域 "public"
- 配置区域 "trusted" 的方式与区域 "public"
相同
区域"public"配置:
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="snmp"/>
<service name="http"/>
<service name="ssh"/>
<service name="https"/>
<icmp-block name="redirect"/>
<icmp-block name="router-solicitation"/>
<icmp-block name="parameter-problem"/>
<icmp-block name="router-advertisement"/>
<forward-port to-port="8080" protocol="tcp" port="80"/>
</zone>
错误:
#wget "192.168.100.42:80"
--2016-12-01 16:02:29-- http://192.168.100.42/
Connecting to 192.168.100.42:80... failed: Connection refused.
#wget "192.168.100.42:8080"
--2016-12-01 16:06:37-- http://192.168.100.42:8080/
Connecting to 192.168.100.42:8080... connected.
HTTP request sent, awaiting response... 302 Found
...
HTTP request sent, awaiting response... 302 Found
...
HTTP request sent, awaiting response... 302 Found
...
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
...
2016-12-01 16:06:37 (69.8 MB/s) - ‘index.html’ saved [4785]
#wget "localhost:80"
--2016-12-01 16:02:12-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|127.0.0.1|:80... failed: Connection refused.
Connecting to localhost (localhost)|::1|:80... failed: Network is unreachable.
#wget "localhost:8080"
--2016-12-01 16:06:29-- http://localhost:8080/
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|127.0.0.1|:8080... failed: Connection refused.
Connecting to localhost (localhost)|::1|:8080... failed: Network is unreachable.
编辑:解决方案:
服务器根本没有在环回接口上侦听。
拍摄了postFirewall。修改您的 ips 本地网络和服务器:
在 /etc/init.d/ 中创建一个 iptables.sh,chmod +x 和 运行
# NOMENCLATURE
internet=eth0 # interface of internet source
lan=eth1 # interface of local network
local=192.168.1.0 # your local network
netmask=24 # netmask of your local network
iptables=/sbin/iptables
# Zero all packets and counters
$iptables -F
$iptables -X
$iptables -t nat -F
$iptables -t nat -X
$iptables -t mangle -F
$iptables -t mangle -X
$iptables -t raw -F
$iptables -t raw -X
$iptables -t security -F
$iptables -t security -X
$iptables -Z
$iptables -t nat -Z
$iptables -t mangle -Z
# Global Policies (DROP or ACCEPT)
$iptables -P INPUT ACCEPT
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD ACCEPT
$iptables -t nat -P PREROUTING ACCEPT
$iptables -t nat -P POSTROUTING ACCEPT
$iptables -t nat -P OUTPUT ACCEPT
$iptables -t mangle -P PREROUTING ACCEPT
$iptables -t mangle -P INPUT ACCEPT
$iptables -t mangle -P FORWARD ACCEPT
$iptables -t mangle -P OUTPUT ACCEPT
$iptables -t mangle -P POSTROUTING ACCEPT
# LOOPBACK
$iptables -A INPUT -p all -i lo -j ACCEPT
$iptables -A INPUT -s 192.168.1.10 -j ACCEPT
$iptables -A OUTPUT -p all -o lo -j ACCEPT
$iptables -A OUTPUT -p all -s 127.0.0.1 -j ACCEPT
$iptables -t mangle -A PREROUTING -p all -i lo -j ACCEPT
$iptables -t mangle -A PREROUTING -p all -s 127.0.0.1 -j ACCEPT
$iptables -t nat -A PREROUTING -p all -i lo -j ACCEPT
# IP forward rules
echo 1 > /proc/sys/net/ipv4/ip_forward
# MASQUERADE
$iptables -t nat -A POSTROUTING -s $local/$netmask -o $internet -j MASQUERADE
$iptables -A OUTPUT -p udp --dport 53 -j DROP
$iptables -A INPUT -p udp --sport 53 -j DROP
$iptables -A FORWARD -p udp --dport 53 -j DROP
# LAN ---> PROXY <--- INTERNET
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# TRANSPARENT RULES
$iptables -t nat -A PREROUTING -i $lan -p tcp --dport 80 -j REDIRECT --to-port 8080
$iptables -A INPUT -i $lan -p tcp --dport 8080 -j ACCEPT
$iptables -A FORWARD -i $lan -p tcp -m multiport --dports 80,8080,443 -o $internet -j ACCEPT
服务器没有在环回接口上侦听。
我需要将端口 8080 重定向到我的 linux 服务器上的端口 80。 我的问题与以下相同: https://askubuntu.com/a/579540
唯一的区别是我没有 iptables - 有没有办法用 firewalld 做到这一点?
编辑:现在我知道 firewalld 使用 iptables 并且命令可以通过 firewalld 传递给 iptables 使用:
firewall-cmd [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
我有:
- HTTP 服务器 运行 端口 8080
- 端口 80 重定向到 firewalld 中的 8080(区域 public)
- 其他电脑通过80端口访问的客户端可以访问HTTP服务器
- 我可以从同一台电脑访问8080端口的服务器,这里的服务器是运行
我也想要:
- 正在从同一台电脑的80端口访问服务器,这里的服务器是运行
我试过了:
- 将接口 "lo" 添加到区域 "public"
- 配置区域 "trusted" 的方式与区域 "public" 相同
区域"public"配置:
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="snmp"/>
<service name="http"/>
<service name="ssh"/>
<service name="https"/>
<icmp-block name="redirect"/>
<icmp-block name="router-solicitation"/>
<icmp-block name="parameter-problem"/>
<icmp-block name="router-advertisement"/>
<forward-port to-port="8080" protocol="tcp" port="80"/>
</zone>
错误:
#wget "192.168.100.42:80"
--2016-12-01 16:02:29-- http://192.168.100.42/
Connecting to 192.168.100.42:80... failed: Connection refused.
#wget "192.168.100.42:8080"
--2016-12-01 16:06:37-- http://192.168.100.42:8080/
Connecting to 192.168.100.42:8080... connected.
HTTP request sent, awaiting response... 302 Found
...
HTTP request sent, awaiting response... 302 Found
...
HTTP request sent, awaiting response... 302 Found
...
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’
...
2016-12-01 16:06:37 (69.8 MB/s) - ‘index.html’ saved [4785]
#wget "localhost:80"
--2016-12-01 16:02:12-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|127.0.0.1|:80... failed: Connection refused.
Connecting to localhost (localhost)|::1|:80... failed: Network is unreachable.
#wget "localhost:8080"
--2016-12-01 16:06:29-- http://localhost:8080/
Resolving localhost (localhost)... 127.0.0.1, ::1
Connecting to localhost (localhost)|127.0.0.1|:8080... failed: Connection refused.
Connecting to localhost (localhost)|::1|:8080... failed: Network is unreachable.
编辑:解决方案: 服务器根本没有在环回接口上侦听。
拍摄了postFirewall。修改您的 ips 本地网络和服务器:
在 /etc/init.d/ 中创建一个 iptables.sh,chmod +x 和 运行
# NOMENCLATURE
internet=eth0 # interface of internet source
lan=eth1 # interface of local network
local=192.168.1.0 # your local network
netmask=24 # netmask of your local network
iptables=/sbin/iptables
# Zero all packets and counters
$iptables -F
$iptables -X
$iptables -t nat -F
$iptables -t nat -X
$iptables -t mangle -F
$iptables -t mangle -X
$iptables -t raw -F
$iptables -t raw -X
$iptables -t security -F
$iptables -t security -X
$iptables -Z
$iptables -t nat -Z
$iptables -t mangle -Z
# Global Policies (DROP or ACCEPT)
$iptables -P INPUT ACCEPT
$iptables -P OUTPUT ACCEPT
$iptables -P FORWARD ACCEPT
$iptables -t nat -P PREROUTING ACCEPT
$iptables -t nat -P POSTROUTING ACCEPT
$iptables -t nat -P OUTPUT ACCEPT
$iptables -t mangle -P PREROUTING ACCEPT
$iptables -t mangle -P INPUT ACCEPT
$iptables -t mangle -P FORWARD ACCEPT
$iptables -t mangle -P OUTPUT ACCEPT
$iptables -t mangle -P POSTROUTING ACCEPT
# LOOPBACK
$iptables -A INPUT -p all -i lo -j ACCEPT
$iptables -A INPUT -s 192.168.1.10 -j ACCEPT
$iptables -A OUTPUT -p all -o lo -j ACCEPT
$iptables -A OUTPUT -p all -s 127.0.0.1 -j ACCEPT
$iptables -t mangle -A PREROUTING -p all -i lo -j ACCEPT
$iptables -t mangle -A PREROUTING -p all -s 127.0.0.1 -j ACCEPT
$iptables -t nat -A PREROUTING -p all -i lo -j ACCEPT
# IP forward rules
echo 1 > /proc/sys/net/ipv4/ip_forward
# MASQUERADE
$iptables -t nat -A POSTROUTING -s $local/$netmask -o $internet -j MASQUERADE
$iptables -A OUTPUT -p udp --dport 53 -j DROP
$iptables -A INPUT -p udp --sport 53 -j DROP
$iptables -A FORWARD -p udp --dport 53 -j DROP
# LAN ---> PROXY <--- INTERNET
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# TRANSPARENT RULES
$iptables -t nat -A PREROUTING -i $lan -p tcp --dport 80 -j REDIRECT --to-port 8080
$iptables -A INPUT -i $lan -p tcp --dport 8080 -j ACCEPT
$iptables -A FORWARD -i $lan -p tcp -m multiport --dports 80,8080,443 -o $internet -j ACCEPT
服务器没有在环回接口上侦听。