iptables实现反向代理

简介

Client: 192.168.189.149

Proxy: 172.19.222.16

RealServer: 192.100.13.203

 

拓扑图

 

配置

开启服务器路由转发功能

echo "1" > /proc/sys/net/ipv4/ip_forward

 

实验

一、(对应拓扑图中的例1)

配置

-A PREROUTING -p tcp -d 172.19.222.16/32 --dport 3389 -j DNAT --to-destination 192.100.13.203:3389
-A POSTROUTING -j MASQUERADE

抓包分析(Client: nc -w2 -t -v 172.19.222.16 3389 Proxy: tcpdump -nn port 3389)

[root@tv_proxy ~]# tcpdump -nn port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:37:06.476695 IP 192.168.189.149.58685 > 172.19.222.16.3389: Flags [S], seq 1226688947, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788372890 ecr 0,sackOK,eol], length 0
01:37:06.476765 IP 172.19.222.16.58685 > 192.100.13.203.3389: Flags [S], seq 1226688947, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788372890 ecr 0,sackOK,eol], length 0
01:37:06.483030 IP 192.100.13.203.3389 > 172.19.222.16.58685: Flags [S.], seq 3555435495, ack 1226688948, win 8192, options [mss 1448,nop,wscale 8,sackOK,TS val 1118072622 ecr 788372890], length 0
01:37:06.483093 IP 172.19.222.16.3389 > 192.168.189.149.58685: Flags [S.], seq 3555435495, ack 1226688948, win 8192, options [mss 1448,nop,wscale 8,sackOK,TS val 1118072622 ecr 788372890], length 0
01:37:06.487023 IP 192.168.189.149.58685 > 172.19.222.16.3389: Flags [.], ack 1, win 4106, options [nop,nop,TS val 788372901 ecr 1118072622], length 0
01:37:06.487040 IP 172.19.222.16.58685 > 192.100.13.203.3389: Flags [.], ack 1, win 4106, options [nop,nop,TS val 788372901 ecr 1118072622], length 0
01:37:08.503085 IP 192.168.189.149.58685 > 172.19.222.16.3389: Flags [F.], seq 1, ack 1, win 4106, options [nop,nop,TS val 788374912 ecr 1118072622], length 0
01:37:08.503129 IP 172.19.222.16.58685 > 192.100.13.203.3389: Flags [F.], seq 1, ack 1, win 4106, options [nop,nop,TS val 788374912 ecr 1118072622], length 0
01:37:08.503704 IP 192.100.13.203.3389 > 172.19.222.16.58685: Flags [.], ack 2, win 259, options [nop,nop,TS val 1118072824 ecr 788374912], length 0
01:37:08.503729 IP 172.19.222.16.3389 > 192.168.189.149.58685: Flags [.], ack 2, win 259, options [nop,nop,TS val 1118072824 ecr 788374912], length 0

验证了IP包的(拓扑图中例1 (1) -> (2) ->(3) ->(4) )走向

 

二、(对应拓扑图中的例2)# 错误的配置

配置

-A PREROUTING -p tcp -d 172.19.222.16/32 --dport 3389 -j DNAT --to-destination 192.100.13.203:3389

抓包分析(Client: nc -w2 -t -v 172.19.222.16 3389 )

Proxy: tcpdump -nn port 3389

[root@tv_proxy ~]# tcpdump -nn port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:33:07.135139 IP 192.168.189.149.58678 > 172.19.222.16.3389: Flags [S], seq 532017972, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788133903 ecr 0,sackOK,eol], length 0
01:33:07.135227 IP 192.168.189.149.58678 > 192.100.13.203.3389: Flags [S], seq 532017972, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788133903 ecr 0,sackOK,eol], length 0

RealServer: tcpdump -nn port 3389



[root@fortress ~]# tcpdump -i ens192 -nn port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 65535 bytes
01:46:13.647774 IP 192.168.189.149.58678 > 192.100.13.203.3389: Flags [S], seq 20768373, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788919097 ecr 0,sackOK,eol], length 0
01:46:13.647846 IP 192.100.13.203.3389 > 192.168.189.149.58678: Flags [S.], seq 752203413, ack 20768374, win 14480, options [mss 1460,sackOK,TS val 1766913754 ecr 788919097,nop,wscale 7], length 0


 




 步骤(3)的连接不能建立,RealServer发送syn+ack给Client但Client没有发送过目的地址是RealServer的包,所有直接丢弃(如果要实现这种架构请参考lvs dr或tunnel模式)。






            

            
posted @ 
2017-03-06 16:56 
metasequoia 
阅读(3796) 
评论(1编辑 
收藏 
举报