読者です 読者をやめる 読者になる 読者になる

labunix's blog

labunixのラボUnix

FortigateのGUIにアクセスするポート転送を設定する。

■FortigateのGUIにアクセスするポート転送を設定する。
 別のインターフェイス[172.16.16.254/24]に接続したネットワークの
 別の端末からWeb管理したい。

$ INTERFACEIP=172.16.16.254; \
  BASE=8000; \
  for m in 172.31.31.252 172.31.31.249;do \
    for n in 23 80 443;do \
      echo "sudo iptables -t nat -A PREROUTING \
                          -m tcp -p tcp \
                          --dst $INTERFACEIP --dport $(($BASE+$n)) \
                          -j DNAT --to-destination $m:$n" ; \
    done | sed -e 's/   */ /g'; \
    echo "sudo iptables -t nat -A POSTROUTING -m tcp -p tcp -o eth2 -d $m/32 -j MASQUERADE"; \
    BASE=$(($BASE+1000)); \
  done | sed -e 's/-A/\\\n  &/g'
sudo iptables -t nat \
  -A PREROUTING -m tcp -p tcp --dst 172.16.16.254 --dport 8023 -j DNAT --to-destination 172.31.31.252:23
sudo iptables -t nat \
  -A PREROUTING -m tcp -p tcp --dst 172.16.16.254 --dport 8080 -j DNAT --to-destination 172.31.31.252:80
sudo iptables -t nat \
  -A PREROUTING -m tcp -p tcp --dst 172.16.16.254 --dport 8443 -j DNAT --to-destination 172.31.31.252:443
sudo iptables -t nat \
  -A POSTROUTING -m tcp -p tcp -o eth2 -d 172.31.31.252/32 -j MASQUERADE
sudo iptables -t nat \
  -A PREROUTING -m tcp -p tcp --dst 172.16.16.254 --dport 9023 -j DNAT --to-destination 172.31.31.249:23
sudo iptables -t nat \
  -A PREROUTING -m tcp -p tcp --dst 172.16.16.254 --dport 9080 -j DNAT --to-destination 172.31.31.249:80
sudo iptables -t nat \
  -A PREROUTING -m tcp -p tcp --dst 172.16.16.254 --dport 9443 -j DNAT --to-destination 172.31.31.249:443
sudo iptables -t nat \
  -A POSTROUTING -m tcp -p tcp -o eth2 -d 172.31.31.249/32 -j MASQUERADE

■「sh」にパイプして実行

$ INTERFACEIP=172.16.16.254; \
  BASE=8000; \
  for m in 172.31.31.252 172.31.31.249;do \
    for n in 23 80 443;do \
      echo "sudo iptables -t nat -A PREROUTING \
                          -m tcp -p tcp \
                          --dst $INTERFACEIP --dport $(($BASE+$n)) \
                          -j DNAT --to-destination $m:$n" ; \
    done | sed -e 's/   */ /g'; \
    echo "sudo iptables -t nat -A POSTROUTING -m tcp -p tcp -o eth2 -d $m/32 -j MASQUERADE"; \
    BASE=$(($BASE+1000)); \
  done | sed -e 's/-A/\\\n  &/g' | sh

■確認

$ sudo iptables -L -v -n -t nat | grep "DNAT\|MASQ\|^C\|pkt"
Chain PREROUTING (policy ACCEPT 1484 packets, 41856 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  104 12240 DNAT       tcp  --  *      *       0.0.0.0/0            172.16.16.254         tcp dpt:8023 to:172.31.31.252:23
   79  4740 DNAT       tcp  --  *      *       0.0.0.0/0            172.16.16.254         tcp dpt:8080 to:172.31.31.252:80
  382 29040 DNAT       tcp  --  *      *       0.0.0.0/0            172.16.16.254         tcp dpt:8443 to:172.31.31.252:443
  232 12240 DNAT       tcp  --  *      *       0.0.0.0/0            172.16.16.252         tcp dpt:9023 to:172.31.31.249:23
   45  4740 DNAT       tcp  --  *      *       0.0.0.0/0            172.16.16.252         tcp dpt:9080 to:172.31.31.249:80
   54 29040 DNAT       tcp  --  *      *       0.0.0.0/0            172.16.16.252         tcp dpt:9443 to:172.31.31.249:443
Chain INPUT (policy ACCEPT 1484 packets, 41856 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 23 packets, 1546 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain POSTROUTING (policy ACCEPT 23 packets, 1546 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    6   360 MASQUERADE  tcp  --  *      eth2    0.0.0.0/0            172.31.31.252       
   24  1440 MASQUERADE  tcp  --  *      eth2    0.0.0.0/0            172.31.31.249