1. 首頁
  2. 問答
  3. 無法獲得nftables將端口80重定向到8080

無法獲得nftables將端口80重定向到8080

2016-11-08 98 views
1

我嘗試設置我的服務器,因此它將端口80的流量重定向到端口8080,但它不起作用。 (如果我telnet到端口80,並且「無法連接」,我會得到「連接被拒絕」錯誤。)無法獲得nftables將端口80重定向到8080

我已經能夠使用iptables使其工作,但更喜歡使用nftables。有人知道這個問題可能是什麼嗎? (如果它是相關的,在服務器上運行linode.com,通過提供的Linode內核。)

我得在/etc/nftables.conf如下:

#!/usr/sbin/nft -f 

flush ruleset 

table ip fw { 
     chain in { 
       type filter hook input priority 0; 

       # accept any localhost traffic 
       iif lo accept 

       # accept traffic originated from us 
       ct state established,related accept 

       # accept ssh, alternative http 
       tcp dport { ssh, http, http-alt } ct state new counter accept 

       counter drop 
     } 
} 

table ip nat { 
     chain prerouting { 
       type nat hook prerouting priority 0; 
       tcp dport http redirect to http-alt 
     } 

     chain postrouting { 
       type nat hook postrouting priority 0; 
     } 
}

來源

2016-11-08 user1178488

回答

0

你有沒有意思是table inet filter而不是table ip fw

如果是這樣,我也有類似的問題。將ip nat prerouting優先級更改爲-101讓它工作,但我不知道爲什麼。它可能與NF_IP_PRI_NAT_DST (-100): destination NAT的默認優先級有關。似乎工作的唯一範圍是-101到-200。

#!/usr/sbin/nft -f 

flush ruleset 

table inet filter { 
    chain input { 
     type filter hook input priority 0; 
     counter 

     # accept any localhost traffic 
     iif lo accept 

     # accept traffic originated from us 
     ct state {established,related} accept 

     # activate the following line to accept common local services 
     tcp dport { 22, 80, 443, 9443 } ct state new accept 

     # accept neighbour discovery otherwise IPv6 connectivity breaks. 
     ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept 

     # count and drop any other traffic 
     counter drop 
    } 
} 

table ip nat { 

    chain input { 
     type nat hook input priority 0; 
     counter 
    } 

    chain prerouting { 
     type nat hook prerouting priority -101; 
     counter 
     tcp dport 443 counter redirect to 9443 
    } 

    chain postrouting { 
     type nat hook postrouting priority 0; 
     counter 
    } 
}

counter規則可以很容易地看到,即使是否正在被處理的鏈;計數器值可以通過nft list ruleset查看。

來源

2017-10-07 00:29:44

相關問題

 相關問題