![](/img/trans.png)
[英]Server listening to localhost:8080 can Apache still listen to port 80?
[英]Can't get nftables to redirect port 80 to 8080
我已经尝试设置我的服务器,因此它将端口80的流量重定向到端口8080,但它不起作用。 (如果我telnet到端口80,并且“无法连接”与firefox,我会收到“Connection refused”错误。)
我已经能够使用iptables让它工作,但更喜欢使用nftables。 有谁知道问题可能是什么? (如果它是相关的,服务器在linode.com上运行,内核由linode提供。)
我在/etc/nftables.conf中有以下内容:
#!/usr/sbin/nft -f
flush ruleset
table ip fw {
chain in {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept ssh, alternative http
tcp dport { ssh, http, http-alt } ct state new counter accept
counter drop
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
tcp dport http redirect to http-alt
}
chain postrouting {
type nat hook postrouting priority 0;
}
}
你的意思是table inet filter
而不是table ip fw
?
如果是这样,我有类似的问题。 将ip nat prerouting
优先级更改为-101使其正常工作,但我不确定原因。 它可能与NF_IP_PRI_NAT_DST(-100)的默认优先级相关:目标NAT 。 似乎唯一有效的范围是-101到-200。
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
counter
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state {established,related} accept
# activate the following line to accept common local services
tcp dport { 22, 80, 443, 9443 } ct state new accept
# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# count and drop any other traffic
counter drop
}
}
table ip nat {
chain input {
type nat hook input priority 0;
counter
}
chain prerouting {
type nat hook prerouting priority -101;
counter
tcp dport 443 counter redirect to 9443
}
chain postrouting {
type nat hook postrouting priority 0;
counter
}
}
通过counter
规则可以轻松查看链条是否被处理; 计数器值可以通过nft list ruleset
看到。
如果您仅在localhost上路由,请尝试使用
table ip nat {
chain output {
type nat hook output priority 0;
tcp dport http redirect to http-alt
}
}
几年前我读了iptables,循环设备上的数据包不会遍历预路由链,而是通过输出链。 那是我的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.