iptable dnat 規則在 ubuntu 中不起作用

我正在嘗試使用下面的命令範例創建一個簡單的 iptable 規則。但是路由不起作用。由於我不熟悉 iptables，因此缺少任何關於缺少的內容。

sudo iptables -t nat -A PREROUTING -p tcp -d 10.10.20.10 --dport 8321 -j DNAT --to-destination 192.168.56.101:8321

該 ip10.10.20.10未分配給任何介面。

iptables 規則如下：

# Generated by iptables-save v1.6.1 on Tue Mar  5 14:21:30 2019
*nat
:PREROUTING ACCEPT [5:2009]
:INPUT ACCEPT [5:2009]
:OUTPUT ACCEPT [141:9332]
:POSTROUTING ACCEPT [141:9332]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -d 10.10.20.10/32 -p tcp -m tcp --dport 8321 -j DNAT --to-destination 192.168.56.101:8321
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Tue Mar  5 14:21:30 2019
# Generated by iptables-save v1.6.1 on Tue Mar  5 14:21:30 2019
*filter
:INPUT ACCEPT [923:68802]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [810:87756]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT

ip addr輸出是

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
   inet6 ::1/128 scope host
      valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
   link/ether 08:00:27:46:d2:d7 brd ff:ff:ff:ff:ff:ff
   inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3
      valid_lft 85059sec preferred_lft 85059sec
   inet6 fe80::a00:27ff:fe46:d2d7/64 scope link
      valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
   link/ether 08:00:27:0e:42:40 brd ff:ff:ff:ff:ff:ff
   inet6 fd0c:6493:12bf:2942::ac18:1164/64 scope global
      valid_lft forever preferred_lft forever
   inet6 fe80::a00:27ff:fe0e:4240/64 scope link
      valid_lft forever preferred_lft forever
4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
   link/ether 08:00:27:bf:83:a2 brd ff:ff:ff:ff:ff:ff
   inet 192.168.56.101/24 brd 192.168.56.255 scope global dynamic enp0s9
      valid_lft 908sec preferred_lft 908sec
   inet6 fe80::a00:27ff:febf:83a2/64 scope link
      valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
   link/ether 02:42:8a:d2:57:bd brd ff:ff:ff:ff:ff:ff
   inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
      valid_lft forever preferred_lft forever

ip 路由輸出為：

10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15
10.0.2.2 dev enp0s3 proto dhcp scope link src 10.0.2.15 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.56.0/24 dev enp0s9 proto kernel scope link src 192.168.56.101

來自與設置 nat PREROUTING DNAT 規則的主機相同的流量不會遍歷該 nat PREROUTING 鏈，這就是您沒有看到它被應用的原因。

相反，您需要對本地生成的數據包使用 nat OUTPUT 鏈：

sudo iptables -t nat -A OUTPUT -p tcp -d 10.10.20.10 --dport 8321 -j DNAT --to-destination 192.168.56.101:8321

你可以通過在google中搜尋帶有這些關鍵字的圖像來找到iptables的處理流程圖，這使得iptables的工作原理一目了然。

引用自：https://unix.stackexchange.com/questions/504514