一台Linux主机，内（eth0）外（eth1）网两张网卡，首先作squid代理服务中，然后使用iptables将现将对eth1 TCP 3389 端口的访问转向到 内网10.224.0.3 3389远程桌面，将对eth1 TCP 81的访问转向到内网10.224.0.3 80，rc.local添加代码如下：

//==============================================
service squid start

modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp

service iptables start

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 81 -j DNAT --to-destination 10.224.0.3:80

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 3213 -j DNAT --to-destination 10.224.0.3:3213

iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 81 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 82 -j ACCEPT

iptables -A INPUT -i eth1 -p tcp --dport 3213  -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A INPUT -i eth1 -j DROP

//=============================================

但现实的效果是3389能够正常转向，telnet internet_ip 3389 成功，但81无法转向，telnet internet_ip 81  提示端口没有打开，将10.224.0.3 Web服务的80端口改为81，然后更改iptables条目

iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 81 -j DNAT --to-destination 10.224.0.3:80

为
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 81 -j DNAT --to-destination 10.224.0.3:81

后81端口被成功转向，也就是说iptables的dport端口号必须与--to-destination的端口号一至。这是为什么？我哪里作错了，有什么解决之道吗？　　　　　　

TARGET EXTENSIONS
       iptables can use extended target modules: the following are included in
       the standard distribution.

复制内容到剪贴板

代码:

   DNAT
       This target is only valid in the nat table, in the PREROUTING and  OUT-
       PUT  chains,  and  user-defined chains which are only called from those
       chains.  It specifies that the destination address of the packet should
       be  modified  (and  all  future packets in this connection will also be
       mangled), and rules should cease being examined.  It takes one type  of
       option:

       --to-destination ipaddr[-ipaddr][:port-port]
              which can specify a single new destination IP address, an inclu-
              sive range of IP addresses, and optionally, a port range  (which
              is  only valid if the rule also specifies -p tcp or -p udp).  If
              [code]no port range is specified, then the destination port will never
              be modified.

You can add several --to-destination options.  If you specify more
              than  one  destination  address,  either via an address range or
              multiple --to-destination options,  a  simple  round-robin  (one
              after another in cycle) load balancing takes place between these
              adresses.
[/code]
--to-destination 使用方法错误，在DNAT后加REDIRECT试试
iptables -t nat -A PREROUTING --dport 81 -i eth0 -j REDIRECT --to 80