Traefikポート80と443をWANに転送するようにiptablesを設定し、パブリックIPアドレスと登録済みドメイン名を介してLANの外部でコンテンツを表示できました(WiFiが無効なモバイルデバイスでテスト済み)。 LAN内で外部IPアドレスまたはドメイン名にアクセスしようとすると失敗します。
ファイアウォールルール
# Set default policies for table
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# wan0 = ISP
# lan0 = LAN
# Traefik
-A PREROUTING -p tcp -i wan0 --dport 80 -j DNAT --to-destination 10.0.1.20:80
-A PREROUTING -p tcp -i wan0 --dport 443 -j DNAT --to-destination 10.0.1.20:443
# ISP
-A POSTROUTING -o wan0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Accept all established inbound connections
-A INPUT -i wan0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -i wan0 -j DROP
# ISP
-A FORWARD -i wan0 -o lan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lan0 -o wan0 -j ACCEPT
# Forward ports 80 and 443 to Traefik
-A FORWARD -p tcp -d 10.0.1.20 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p tcp -d 10.0.1.20 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -o wan0 -j ACCEPT
COMMIT
LAN内でパブリックIPアドレスにアクセスできないのはなぜですか?