iptables实现反向代理
Posted metasequoia
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了iptables实现反向代理相关的知识,希望对你有一定的参考价值。
简介
Client: 192.168.189.149
Proxy: 172.19.222.16
RealServer: 192.100.13.203
拓扑图
配置
开启服务器路由转发功能
echo "1" > /proc/sys/net/ipv4/ip_forward
实验
一、(对应拓扑图中的例1)
配置
-A PREROUTING -p tcp -d 172.19.222.16/32 --dport 3389 -j DNAT --to-destination 192.100.13.203:3389 -A POSTROUTING -j MASQUERADE
抓包分析(Client: nc -w2 -t -v 172.19.222.16 3389 Proxy: tcpdump -nn port 3389)
[root@tv_proxy ~]# tcpdump -nn port 3389 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 01:37:06.476695 IP 192.168.189.149.58685 > 172.19.222.16.3389: Flags [S], seq 1226688947, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788372890 ecr 0,sackOK,eol], length 0 01:37:06.476765 IP 172.19.222.16.58685 > 192.100.13.203.3389: Flags [S], seq 1226688947, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788372890 ecr 0,sackOK,eol], length 0 01:37:06.483030 IP 192.100.13.203.3389 > 172.19.222.16.58685: Flags [S.], seq 3555435495, ack 1226688948, win 8192, options [mss 1448,nop,wscale 8,sackOK,TS val 1118072622 ecr 788372890], length 0 01:37:06.483093 IP 172.19.222.16.3389 > 192.168.189.149.58685: Flags [S.], seq 3555435495, ack 1226688948, win 8192, options [mss 1448,nop,wscale 8,sackOK,TS val 1118072622 ecr 788372890], length 0 01:37:06.487023 IP 192.168.189.149.58685 > 172.19.222.16.3389: Flags [.], ack 1, win 4106, options [nop,nop,TS val 788372901 ecr 1118072622], length 0 01:37:06.487040 IP 172.19.222.16.58685 > 192.100.13.203.3389: Flags [.], ack 1, win 4106, options [nop,nop,TS val 788372901 ecr 1118072622], length 0 01:37:08.503085 IP 192.168.189.149.58685 > 172.19.222.16.3389: Flags [F.], seq 1, ack 1, win 4106, options [nop,nop,TS val 788374912 ecr 1118072622], length 0 01:37:08.503129 IP 172.19.222.16.58685 > 192.100.13.203.3389: Flags [F.], seq 1, ack 1, win 4106, options [nop,nop,TS val 788374912 ecr 1118072622], length 0 01:37:08.503704 IP 192.100.13.203.3389 > 172.19.222.16.58685: Flags [.], ack 2, win 259, options [nop,nop,TS val 1118072824 ecr 788374912], length 0 01:37:08.503729 IP 172.19.222.16.3389 > 192.168.189.149.58685: Flags [.], ack 2, win 259, options [nop,nop,TS val 1118072824 ecr 788374912], length 0
验证了IP包的(拓扑图中例1 (1) -> (2) ->(3) ->(4) )走向
二、(对应拓扑图中的例2)# 错误的配置
配置
-A PREROUTING -p tcp -d 172.19.222.16/32 --dport 3389 -j DNAT --to-destination 192.100.13.203:3389
抓包分析(Client: nc -w2 -t -v 172.19.222.16 3389 )
Proxy: tcpdump -nn port 3389
[root@tv_proxy ~]# tcpdump -nn port 3389 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 01:33:07.135139 IP 192.168.189.149.58678 > 172.19.222.16.3389: Flags [S], seq 532017972, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788133903 ecr 0,sackOK,eol], length 0 01:33:07.135227 IP 192.168.189.149.58678 > 192.100.13.203.3389: Flags [S], seq 532017972, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788133903 ecr 0,sackOK,eol], length 0
RealServer: tcpdump -nn port 3389
[root@fortress ~]# tcpdump -i ens192 -nn port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 65535 bytes
01:46:13.647774 IP 192.168.189.149.58678 > 192.100.13.203.3389: Flags [S], seq 20768373, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788919097 ecr 0,sackOK,eol], length 0
01:46:13.647846 IP 192.100.13.203.3389 > 192.168.189.149.58678: Flags [S.], seq 752203413, ack 20768374, win 14480, options [mss 1460,sackOK,TS val 1766913754 ecr 788919097,nop,wscale 7], length 0
步骤(3)的连接不能建立,RealServer发送syn+ack给Client但Client没有发送过目的地址是RealServer的包,所有直接丢弃(如果要实现这种架构请参考lvs dr或tunnel模式)。
以上是关于iptables实现反向代理的主要内容,如果未能解决你的问题,请参考以下文章
使用本脚本可以自动批量完成中间节点环境的部署工作,包括:Nginx编译安装添加程序管理脚本设置开机启动反向代理配置证书分发添加iptables规则等
Consul+Registrator+Docker实现服务发现(nginx反向代理)
haproxy笔记之一:Haproxy基本安装配置(反向代理,类似Nginx,可以代理tcp的连接,不只是http)(注意iptables和selinux的问题)