在 http://blog.sina.com.cn/s/blog_702eef650101moqb.html 的基础上,反复测试,得出如下结论:
假设连接172.16.16.44的80端口等同于连接172.16.16.244的22端口,配置文件按下面这样写,172.16.16.44的80端口占用还是不占用都没关系,只要放行就可以了。注意红字部分是重点。
vim /etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 172.16.16.44/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.16.244:22
-A POSTROUTING -d 172.16.16.244/32 -p tcp -m tcp --dport 22 -j SNAT --to-source 172.16.16.44:80
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FORWARD -s 172.16.16.244/32 -j ACCEPT
-A FORWARD -d 172.16.16.244/32 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT