Chinhu chakajairika kwazvo pakuchengeta maseva kuri kuendesa zvakare traffic.
Ngatitii tine server ine mamwe masevhisi anomhanya, asi chero chikonzero isu tinoshandura rimwe remasevhisi aya (Ini handizive, semuenzaniso pop3 inova chiteshi 110) kune imwe server. Icho chakajairwa uye chinowanzoitika chinhu chingangove kungochinja iyo IP mune iyo DNS rekodhi, zvisinei kana mumwe munhu aishandisa iyo IP panzvimbo peiyo subdomain inozobatwa.
Zvekuita? ... yakapusa, tungamira iwo traffic iyo server inogamuchira kuburikidza neiyo chiteshi kune imwe sevha ine imwechete chiteshi.
Tinotanga sei kudzoreredza traffic?
Chinhu chekutanga ndechekuti isu tinofanirwa kunge takagonesa iyo kuendesa mberi pane server, nekuda kweizvi tichaisa zvinotevera:
echo "1" > /proc/sys/net/ipv4/ip_forward
Iwe unogona zvakare kushandisa uyu umwe kuraira, kana iyo yapfuura ikasashanda kwauri (zvakaitika kwandiri seizvi paCentOS):
sysctl net.ipv4.ip_forward=1
Ipapo isu tinotangazve network:
service networking restart
MuRPM distros senge CentOS nevamwe, zvingave:
service nertwork restart
Iye zvino tichaenderera mberi kuchinhu chakakosha, udza sevha kuburikidza iptables chii chaunodzoreredza:
iptables -t nat -A PREROUTING -p tcp --dport <puerto receptor> -j DNAT --to-destination <ip final>:<puerto de ip final>
Mune mamwe mazwi, uye nekutevera iwo muenzaniso wandakataura, ngatiti isu tinoda kudzoreredza traffic yese iyo server yedu inogamuchira kuburikidza nechiteshi 110 kune imwe server (ex: 10.10.0.2), iyo ichiri kugashira iyo traffic kuburikidza ne110 (ibasa rimwe chete):
iptables -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to-destination 10.10.0.2:110
Iyo 10.10.0.2 server ichaona kuti mapakeji ese kana zvikumbiro zvinobva kune IP yemutengi, kana vachida kushambira zvikumbiro, ndiko kuti, iyo yechipiri sevha inoona kuti zvikumbiro zvinosvika neIP yeiyo yekutanga server (uye mune yatinoshandisa redirection), zvingave zvakare kuisa iyi yechipiri mutsara:
iptables -t nat -A POSTROUTING -j MASQUERADE
Mimwe mibvunzo nemhinduro
Mumuenzaniso ini ndaishandisa chiteshi chakafanana pazviitiko zvese izvi (110), zvisinei ivo vanokwanisa kudzoreredza traffic kubva kune chimwe chiteshi kuenda kune chimwe pasina matambudziko. Semuenzaniso, ngatiti ini ndoda kuendesa zvakare traffic kubva port 80 kusvika 443 pane imwe server, nekuti izvi zvingave:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.0.2:443
Izvi ndizvo iptables, ivo vanogona kushandisa mamwe ese ma parameter atinoziva, semuenzaniso, kana isu tichingoda kudzosera traffic kubva kune chaiyo IP, inenge iri kuwedzera -s … Semuenzaniso ndichaendesa chete traffic inobva kuna 10.10.0.51:
iptables -t nat -A PREROUTING -p tcp -s 10.10.0.51 --dport 80 -j DNAT --to-destination 10.10.0.2:443
Kana rese network (/ 24):
iptables -t nat -A PREROUTING -p tcp -s 10.10.0.0/24 --dport 80 -j DNAT --to-destination 10.10.0.2:443
Isu tinogona zvakare kudoma network interface ne -i :
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination 10.10.0.2:443
Magumo!
Izvi sezvandambotaura, iptables, unogona kuisa izvo zvinozivikanwa kuti sevha iite chaizvo zvaunoda kuti iite
Ndinokutendai!
Isu tinogona zvakare kuita izvi kubva kune firewall iyo inobvumidza chiteshi kufambisa, handiti? (kushandisa mitemo inoenderana).
Hongu zvirokwazvo, mukupedzisira firewall yakaita Pfsense kana vamwe, shandisa iptables kubva kumashure.
Kutaura chokwadi, pfsense haishandise iptables asi pf, yeuka kuti iri bsd mukati.
Oo, zvakaipa zvangu!
Ndatenda zvikuru nezano 🙂
Ndine kusahadzika kwakati.
1 - Iko shanduko ndeyekusingaperi? kana kuti yakarasika kana uchitangazve sevha?
2 - Ndine zviitiko zvakawanda (taura A, B, uye C) pane imwechete subnet. Mukuenzanisira A ini ndinoshandisa mutemo kuendesa traffic kune yekunze IP, uye kuyedza nema curls kubva kune zviitiko B uye C, zvese zvinoshanda zvinoshamisa. Dambudziko nderekuti kubva pamuenzaniso A hazvishande. Ndakaedza kushandisa zvese ip uye iyo loopback interface, uye haina kushanda:
$ iptables -t nat -A KUFANANA -p tcp -port 8080 -j DNAT -kuenda-xxxx: 8080
$ iptables -t nat -A KUFANANA -p tcp -i lo -dhipatimendi 8080 -j DNAT -kuenda-xxxx: 8080
$ curl ip-yyyy: 8080 / hello_world
curl: (7) Yakundikana kubatanidza kune ip-yyyy chiteshi 8080: Kubatana kwakaramba
$ curl yemunohost: 8080 / hello_world
curl: (7) Yakundikana kubatanidza kune localhost chiteshi 8080: Kubatana kwakaramba
Chero zano rekuti dambudziko ringave rei?
Ehe, shanduko yarasika paku reboot, uchafanirwa kushandisa iptables-chengeta & iptables-kudzoreredza kana chimwe chinhu chakadai kuti udzivise izvo.
Ini handina kunyatsonzwisisa zvauri kuda kuita, semuenzaniso A?
Ndine sevha inongotsigira zvinongedzo kubva kune yakasarudzika ip (server A's), ini handigone kana kuda kuwedzera mamwe ips kune whitelist (yezvekushomeka nyaya), saka ndinoda iyo traffic yese kune yekunze server kuti ipfuure akadaro server (A).
Panyaya yekuita basa, ndine masisitimu epasirese anotsanangura iyo IP yekushandisa pane yega sevhisi, saka mune izvi chinhu chakadai se "munhu wese anoda kushandisa sevhisi yekunze anofanira kushandisa IP A"
Ini ndakabudirira kuita izvi ndichishandisa nzira iri muchinyorwa chino, asi ini ndinomhanya kupinda muchinetso chekuti kana ndichiishandisa, server A haigone kuwana sevhisi ichishandisa yayo ip (asi mamwe eseva anoita).
Parizvino chakanakisa chandakawana ndechekuwedzera mepu mu server A's / etc / hosts faira, ichinongedzera kune yekunze ip, ichikunda iyo mamiriro epasirese.
Zvakanakisa, kana ndine imwe mail server ini ndaigona kuendesa traffic kubva pachiteshi 143 kubva kuseva1 kuenda kuseva2 uye maemail achandibata pane server2, handiti?
Reply with quote
Mune dzidziso hongu, inoshanda seizvi. Chokwadi, iwe unofanirwa kuve uine iyo server server yakanyatsoiswa pane server2 🙂
Rudzi rwemapositi atinoda kuverenga, maita basa!
Yakanaka chinyorwa, ini ndine chirongwa chandiri kushanda uye ndaida kukubvunza mubvunzo, pane maindasitiri switch aneNAT basa (ndinofunga vanoshandisa IPTables pazasi), kududzira IP kero vasina kuita shanduko kumidziyo, semuenzaniso, ini ndine Server 10.10.2.1 iyo inotaurirana ne10.10.2.X makomputa uye kuburikidza neswichi yakarongedzwa kuitira kuti komputa ine kero 192.168.2.4 inyatsoonekwa kubva kuseva sa10.10.2.5, yakashandura kuti IP kero kuti ionekwe Kubva kune mamwe makomputa ane iyo kero, ini ndoda kuzviita kubva kuseva ine Ubuntu kana kumwe kugovera, ndeipi ingave iyo iptables mitemo?
Akanaka kwazvo info ndatenda ^ _ ^
Manheru akanaka.
Ndine dambudziko rekuedza kuita redirect. Ini ndinotsanangura:
Ndine proxy server muUbuntu, iine 2 network makadhi:
eth0 = 192.168.1.1 yakabatana kune yese network yemuno.
eth1 = 192.168.2.2 yakabatana neiyo router.
Ini ndinoda zvese zvinouya kuburikidza neeth0 kupfuura eth1, uye zvakare kuburikidza neyakagamuchirwa (ini ndinoshandisa squid, ine default doko iri 3128), uye ini handisi kuwana kiyi mune IPTABLES kumisikidzwa.
Ini handidi kubvumidzwa kwerudzi rupi zvarwo, chete kuti rekodhi inoramba iri mudanda remakero ewebhu anoshanyirwa.
Ndinovimba munogona kundibatsira sezvo riri rakaoma basa rave kundinetsa kwemazuva mashoma.
Ndinokutendai.
Shamwari, ini ndiri mutsva kwazvo kune mamwe maseva, handina zano asi ini ndinonzwisisa chidzidzo uye ndinodzidza nekukurumidza, mubvunzo wangu ndewunotevera ndine maseva maviri serv_2 uye serv_1 ayo andakabatana neiyo intranet imwechete, mumaseva aya ndine yangu yega Ndinoda kuita zvinotevera:
kuti imwe nhanho yeips semuenzaniso rangeip_1 paunenge uchiisa yekuwana ip kune wegacloud (ipowncloud) yakanangiswa kune serv_1 uye kana iri imwe rangeip_2 yakaiswa iyo ipowncloud imwechete inotungamirwa kusev_2, izvi kuitira kuti maseva maviri aripo mumaguta maviri akasiyana uye neIP maseru akasiyana asi ese ari pane imwechete network, icho chingave chikamu chekutanga, chechipiri chingave chiri pachena kuwiriranisa maseva maviri aya kuti ave magirazi kana kuti vandiudze izvi kuitira kuti vawedzere hupamhi bhendi, ndapota, kana uchizonditsanangurira maitiro ekuzviita nhanho nhanho, kwete super programmer mode = (
Mhoroi, ndiregererei, ndine switch in charge yekutaurirana kwezvose zvishandiso zvinoita network yangu, uye mushure meizvi firewall uye pakupedzisira kubuda kweInternet, zvinoitika ndezvekuti ndinoda kuti redirection ipiwe mu switch uye haifanirwe kusvika kune iyo firewall kunze kwekunge basa rakakumbirwa iri internet.
Uchishandisa nzira iyi ungadzoreredza HTTPS kuHTTP?
Mhoroi, pamwe zvanonoka, asi ini ndaida kukubvunza iwe, ndingaite sei kuti squid isashandure IP yemutengi kana ndichida kubatana newebhu server pane imwechete network?
Usandibata zvakaipa nekubvunza. Izvi zvinogona kuitwa muWindows here?
Ruzivo urwu rwakabatsira kwandiri. Semazuva ese, imi vakomana munogona kuvimbwa navo, kana ndisingakwanise kuwana chimwe chinhu muChirungu ini ndinowanzopedzisira ndotarisa muchiSpanish, pazviitiko izvi ndinenge nguva dzose ndinouya kune ino saiti. Ndatenda.
Ndine 4G router inova mutengi wenetiweki yandisingaite (zviri pachena, ndiri mutengi)… router iyi isuwo kune iyo kure network kuburikidza neOpenVPN. Uye zvakare, akati router inozadzisa basa rekutakura kuti uwane port 80 yeseva yeimwe yeaya ma subnets mumunda.
Ichi ndicho chiziviso chandaifanira kuisa mu router semutemo we firewall "-t nat -A POSTROUTING -j MASQUERADE"
Kutenda nerubatsiro!