■FortigateのGUIにアクセスするポート転送を設定する。 別のインターフェイス[172.16.16.254/24]に接続したネットワークの 別の端末からWeb管理したい。 $ INTERFACEIP=172.16.16.254; \ BASE=8000; \ for m in 172.31.31.252 172.31.31.249;do \ for n in 23 80 443;do \ echo "sudo iptables -t nat -A PREROUTING \ -m tcp -p tcp \ --dst $INTERFACEIP --dport $(($BASE+$n)) \ -j DNAT --to-destination $m:$n" ; \ done | sed -e 's/ */ /g'; \ echo "sudo iptables -t nat -A POSTROUTING -m tcp -p tcp -o eth2 -d $m/32 -j MASQUERADE"; \ BASE=$(($BASE+1000)); \ done | sed -e 's/-A/\\\n &/g' sudo iptables -t nat \ -A PREROUTING -m tcp -p tcp --dst 172.16.16.254 --dport 8023 -j DNAT --to-destination 172.31.31.252:23 sudo iptables -t nat \ -A PREROUTING -m tcp -p tcp --dst 172.16.16.254 --dport 8080 -j DNAT --to-destination 172.31.31.252:80 sudo iptables -t nat \ -A PREROUTING -m tcp -p tcp --dst 172.16.16.254 --dport 8443 -j DNAT --to-destination 172.31.31.252:443 sudo iptables -t nat \ -A POSTROUTING -m tcp -p tcp -o eth2 -d 172.31.31.252/32 -j MASQUERADE sudo iptables -t nat \ -A PREROUTING -m tcp -p tcp --dst 172.16.16.254 --dport 9023 -j DNAT --to-destination 172.31.31.249:23 sudo iptables -t nat \ -A PREROUTING -m tcp -p tcp --dst 172.16.16.254 --dport 9080 -j DNAT --to-destination 172.31.31.249:80 sudo iptables -t nat \ -A PREROUTING -m tcp -p tcp --dst 172.16.16.254 --dport 9443 -j DNAT --to-destination 172.31.31.249:443 sudo iptables -t nat \ -A POSTROUTING -m tcp -p tcp -o eth2 -d 172.31.31.249/32 -j MASQUERADE ■「sh」にパイプして実行 $ INTERFACEIP=172.16.16.254; \ BASE=8000; \ for m in 172.31.31.252 172.31.31.249;do \ for n in 23 80 443;do \ echo "sudo iptables -t nat -A PREROUTING \ -m tcp -p tcp \ --dst $INTERFACEIP --dport $(($BASE+$n)) \ -j DNAT --to-destination $m:$n" ; \ done | sed -e 's/ */ /g'; \ echo "sudo iptables -t nat -A POSTROUTING -m tcp -p tcp -o eth2 -d $m/32 -j MASQUERADE"; \ BASE=$(($BASE+1000)); \ done | sed -e 's/-A/\\\n &/g' | sh ■確認 $ sudo iptables -L -v -n -t nat | grep "DNAT\|MASQ\|^C\|pkt" Chain PREROUTING (policy ACCEPT 1484 packets, 41856 bytes) pkts bytes target prot opt in out source destination 104 12240 DNAT tcp -- * * 0.0.0.0/0 172.16.16.254 tcp dpt:8023 to:172.31.31.252:23 79 4740 DNAT tcp -- * * 0.0.0.0/0 172.16.16.254 tcp dpt:8080 to:172.31.31.252:80 382 29040 DNAT tcp -- * * 0.0.0.0/0 172.16.16.254 tcp dpt:8443 to:172.31.31.252:443 232 12240 DNAT tcp -- * * 0.0.0.0/0 172.16.16.252 tcp dpt:9023 to:172.31.31.249:23 45 4740 DNAT tcp -- * * 0.0.0.0/0 172.16.16.252 tcp dpt:9080 to:172.31.31.249:80 54 29040 DNAT tcp -- * * 0.0.0.0/0 172.16.16.252 tcp dpt:9443 to:172.31.31.249:443 Chain INPUT (policy ACCEPT 1484 packets, 41856 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 23 packets, 1546 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 23 packets, 1546 bytes) pkts bytes target prot opt in out source destination 6 360 MASQUERADE tcp -- * eth2 0.0.0.0/0 172.31.31.252 24 1440 MASQUERADE tcp -- * eth2 0.0.0.0/0 172.31.31.249
