iptables-nat实现反向代理功能
一、服务器信息
1、客户端ip:192.168.110.57
2、代理服务器ip:192.168.110.56
3、真实服务器ip:192.168.110.63
二、需求
1、实现客户端访问代理服务器192.168.110.56的8000-8005端口的时候转发到真实服务器192.168.110.63上的8000-8005端口(类似于nginx的tcp代理)
2、实现客户端访问代理服务器192.168.110.56上的80端口的时候转发到真实服务器192.168.110.63上的80端口(类似于nginx的域名代理)
三、具体操作如下:(在代理服务器192.168.110.56机器上进行iptables的相关规则配置)
1、开启ip的路由转发功能
(1)方法一:(临时生效)
[root@i-ekowjial ~]# echo 1>/proc/sys/net/ipv4/ip_forward
(2)方法二:(永久生效)
[root@i-ekowjial ~]# vim /etc/sysctl.conf net.ipv4.ip_forward = 1 #此处数值默认为0不开启,修改为1保存退出 [root@i-ekowjial ~]# sysctl -p #使得修改生效
2、设置iptables的转发规则(需求一)
(1)实现8000-8005的端口转发
[root@i-ekowjial ~]# iptables -t nat -A PREROUTING -d 192.168.110.56/32 -p tcp -m tcp --dport 8000:8005 -j DNAT --to-destination 192.168.110.63 [root@i-ekowjial ~]# iptables -t nat -A POSTROUTING -d 192.168.110.63/32 -p tcp -m tcp --dport 8000:8005 -j SNAT --to-source 192.168.110.56 [root@i-dnbahrtz ~]# iptables -t filter -A INPUT -p tcp -m state --state NEW -m tcp --dport 8000:8005 -j ACCEPT
(2)保存防火墙规则
[root@i-dnbahrtz ~]# iptables-save > /etc/sysconfig/iptables
(3)重启防火墙
[root@i-dnbahrtz ~]# /etc/init.d/iptables restart
(4)在客户端测试真实服务器192.168.110.63上的8000到8005是否对外开放,没有的话需要开放之后再测试
[root@192.168.110.57 ~]# nc -z -w 1 192.168.110.63 8000-8005 Connection to 192.168.110.63 8000 port [tcp/irdmi] succeeded! Connection to 192.168.110.63 8001 port [tcp/vcom-tunnel] succeeded! Connection to 192.168.110.63 8002 port [tcp/teradataordbms] succeeded! Connection to 192.168.110.63 8003 port [tcp/mcreport] succeeded! Connection to 192.168.110.63 8004 port [tcp/*] succeeded! Connection to 192.168.110.63 8005 port [tcp/mxi] succeeded! [root@192.168.110.57 ~]#
测试真实服务器上的端口是开放的,接下来我们测试代理服务器上配置端口转发是否成功
(5)在客户端测试代理服务器192.168.110.56上的8000到8005端口是否可以成功请求
[root@192.168.110.57 ~]# nc -z -w 1 192.168.110.56 8000-8005 Connection to 192.168.110.56 8000 port [tcp/irdmi] succeeded! Connection to 192.168.110.56 8001 port [tcp/vcom-tunnel] succeeded! Connection to 192.168.110.56 8002 port [tcp/teradataordbms] succeeded! Connection to 192.168.110.56 8003 port [tcp/mcreport] succeeded! Connection to 192.168.110.56 8004 port [tcp/*] succeeded! Connection to 192.168.110.56 8005 port [tcp/mxi] succeeded! [root@192.168.110.57 ~]#
3、设置iptables的转发规则(需求二)
(1)实现80端口到80端口的转发
[root@i-ekowjial ~]# iptables -t nat -A PREROUTING -d 192.168.110.56/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.110.63:80 [root@i-ekowjial ~]# iptables -t nat -A POSTROUTING -d 192.168.110.63/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.110.56 [root@i-dnbahrtz ~]# iptables -t filter -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
(2)实现443端口到80端口的转发
[root@i-ekowjial ~]# iptables -t nat -A PREROUTING -d 192.168.110.56/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.110.63:80 [root@i-ekowjial ~]# iptables -t nat -A POSTROUTING -d 192.168.110.63/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.110.56 [root@i-dnbahrtz ~]# iptables -t filter -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
(3)保存防火墙规则
[root@i-dnbahrtz ~]# iptables-save > /etc/sysconfig/iptables
(4)重启防火墙
[root@i-dnbahrtz ~]# /etc/init.d/iptables restart
(5)客户端测试
[root@192.168.110.57 ~]# nc -z -w 1 192.168.110.56 443 Connection to 192.168.110.56 443 port [tcp/irdmi] succeeded! [root@192.168.110.57 ~]# nc -z -w 1 192.168.110.56 80 Connection to 192.168.110.56 80 port [tcp/irdmi] succeeded!
转载请注明出处: http://www.cnblogs.com/bazingafraser/p/8549620.html
posted on 2018-03-12 15:37 Bazingafraser 阅读(1484) 评论(0) 编辑 收藏 举报
