Phinda uthumele ukugcwala kwabantu kwi-IP enye kunye nezibuko uye kwelinye i-IP kunye nezibuko

Into eqheleke kakhulu xa ulawula iiseva iqondisa ukugcwala kwabantu.

Masithi sineseva esineenkonzo ezithile ezisebenzayo, kodwa nangasiphi na isizathu sitshintsha enye yezo nkonzo (Andazi, umzekelo pop3 olizibuko le-110) kwenye iseva. Into eqhelekileyo kunye neyona nto ixhaphakileyo kukutshintsha nje i-IP kwirekhodi ye-DNS, nangona kunjalo ukuba umntu othile usebenzisa i-IP endaweni ye-subdomain iya kuchaphazeleka.

Kwenziwe ntoni? ... ngokulula, yisa kwakhona ukugcwala kwendlela efunyanwa nguloo port ukuya kwenye iseva enezibuko elifanayo.

Iseva-node-lan-ethernet

Siqala njani ukuhambisa kwakhona ukugcwala kwabantu?

Into yokuqala kukuba kufuneka sikwazi ukwenza ukugqithisa kwiseva, koku siza kubeka oku kulandelayo:

echo "1" > /proc/sys/net/ipv4/ip_forward

Yonke imiyalelo eboniswe kolu qeqesho kufuneka yenziwe ngamalungelo olawulo, ndincoma ukuba yenziwe ngokuthe ngqo kunye nengcambu yomsebenzisi.

Ungawusebenzisa lo myalelo, ukuba owangaphambili awusebenzi kuwe (kwenzeke kum ngolu hlobo kwi-CentOS):
sysctl net.ipv4.ip_forward=1
Emva koko siya kuqalisa kwakhona inethiwekhi:

service networking restart

Kwi-RPM distros njenge-CentOS kunye nezinye, iya kuba:

service nertwork restart

Ngoku siza kuqhubela phambili kwinto ebalulekileyo, xelela umncedisi iptables Uqondisa ntoni kwakhona:

iptables -t nat -A PREROUTING -p tcp --dport <puerto receptor> -j DNAT --to-destination <ip final>:<puerto de ip final>

Ngamanye amagama, kwaye silandela umzekelo endiwukhankanyileyo, masithi sifuna ukuhambisa zonke izithuthi ezifunyanwa yiseva yethu ngezibuko le-110 ukuya kwenye iseva (umz: 10.10.0.2), Esaya kufumana eso sigxina nge-110 (yinkonzo enye):

iptables -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to-destination 10.10.0.2:110

Iseva ye-10.10.0.2 iya kubona ukuba zonke iipakethi okanye izicelo zivela kwi-IP yomthengi, kwimeko apho bafuna ukuqubha izicelo, oko kukuthi, ukuba umncedisi wesibini abone ukuba izicelo zifika nge-IP yeserver yokuqala (nakwi esikusebenzisa ukuphinda ungene kwakhona), iya kuba kukubeka lo mgca wesibini:

iptables -t nat -A POSTROUTING -j MASQUERADE

Eminye imibuzo kunye neempendulo

Kumzekelo ndisebenzise izibuko elifanayo amaxesha omabini (110), nangona kunjalo banakho ukuhambisa ukugcwala kwabantu ukusuka kwelinye izibuko ukuya kwelinye ngaphandle kweengxaki. Umzekelo, masithi ndifuna ukuhambisa kwakhona ukugcwala kwabantu kwizibuko 80 ukuya ku-443 kwenye iseva, kuba oku kunokuba koku:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.0.2:443

Oku iptables, Banokusebenzisa zonke ezinye iiparameter esizaziyo, umzekelo, ukuba sifuna ukuhambisa kuphela itrafikhi kwi-IP ethile, iya kuba ngokongeza -s … Umzekelo ndiza kuthumela kuphela ukugcwala kwabantu okuvela ngo-10.10.0.51:

iptables -t nat -A PREROUTING -p tcp -s 10.10.0.51 --dport 80 -j DNAT --to-destination 10.10.0.2:443

Okanye inethiwekhi iyonke (/ 24):

iptables -t nat -A PREROUTING -p tcp -s 10.10.0.0/24 --dport 80 -j DNAT --to-destination 10.10.0.2:443

Singacacisa ujongano lwenethiwekhi nge -i :

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination 10.10.0.2:443

Isiphelo!

Oku besesitshilo, zii-iptables, ungafaka isicelo esele saziwa ukuze iserver yenze kanye le nto ufuna ukuyenza

Nibuliso!

SinikezeleServer_SubImage


Izimvo ezi-20, shiya ezakho

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.

  1.   Fer sitsho

    Singakwenza oku kwi-firewall evumela ukuhanjiswa kwezibuko, akunjalo? (ukusebenzisa imigaqo ehambelana nayo).

    1.    I-KZKG ^ iGaara sitsho

      Ewe kunjalo, ekugqibeleni i-firewall enjengePfsense okanye abanye, sebenzisa iptables ngasemva.

      1.    dhunter sitsho

        Ukuchaneka, i-pfsense ayizisebenzisi ii-iptables kodwa pf, khumbula ukuba yi-bsd ngaphakathi.

        1.    I-KZKG ^ iGaara sitsho

          Kulungile, kubi kwam!

  2.   UNicolas sitsho

    Enkosi kakhulu ngencam 🙂

    Ndineentandabuzo ezimbalwa:
    1 - Ngaba utshintsho luyisigxina? okanye ilahlekile xa uqala kabusha iseva?
    2-Ndinezihlandlo ezininzi (yithi A, B, kunye no-C) kwi-subnet efanayo. Umzekelo A ndisebenzisa umthetho wokuhambisa i-traffic kwi-IP yangaphandle, kunye nokuvavanywa ngee-curls ezivela kwiimeko B no-C, yonke into isebenza ngokumangalisayo. Ingxaki kukuba kwimeko A ayisebenzi. Ndizamile ukusebenzisa zombini i-ip kunye ne-loopback interface, kwaye ayisebenzi:
    $ iptables -t nat -A UKUFUNDA -p tcp -ukunika ingxelo 8080 -j DNAT -ukuya-xxxx: 8080
    $ iptables -t nat -A UKUFUNDA -p tcp -i lo-ingxelo 8080 -j DNAT -ukuya-xxxx: 8080

    $ curl ip-yyyy: 8080 / hello_world
    i-curl: (7) Ayiphumelelanga ukuqhagamshela kwi-ip-yyyy port 8080: Unxibelelwano lwaliwe
    $ curl yendawo yokuhlala: 8080 / hello_world
    i-curl: (7) Ayiphumelelanga ukuqhagamshela kwiziko lendawo yokubala i-8080: Unxibelelwano laliwe

    Naluphi na uluvo lokuba ingaba yintoni ingxaki?

    1.    I-KZKG ^ iGaara sitsho

      Ewe, utshintsho luyalahleka ekuqaliseni kwakhona, kuya kufuneka usebenzise iptables-gcina kunye neeptables-ukubuyisela okanye into enjalo ukuyikhusela.
      Khange ndiyiqonde kakuhle into ofuna ukuyenza, umzekelo A?

      1.    UNicolas sitsho

        Ndineseva exhasa kuphela unxibelelwano oluvela kwi-ip ethile (i-server A's), andikwazi okanye ndifuna ukongeza ii-ips kwincwadi emhlophe (yemicimbi yokuma), ke ndifuna zonke izithuthi ziseva zangaphandle zidlule utshilo umncedisi (A).
        Ngombandela wokusebenziseka, ndinolungelelwaniso lwehlabathi oluchaza ukuba yeyiphi i-IP eza kusetyenziswa kwinkonzo nganye, ke kule meko yinto efana "nomntu wonke ofuna ukusebenzisa inkonzo yangaphandle kufuneka asebenzise i-IP A"
        Ndikuphumelele ngempumelelo le ndlela isebenzisa eli nqaku, kodwa ndingena engxakini xa ndiyisebenzisa, iseva A ayinakho ukufikelela kwinkonzo isebenzisa eyayo ip (kodwa zonke ezinye iiseva ziyayenza).
        Ukuza kuthi ga ngoku eyona nto ndiyifumeneyo kukongeza imephu kwiseva ye-A / njl / yemikhosi yefayile, yalatha kwi-ip yangaphandle, ibeka ngaphezulu useto lwehlabathi.

  3.   ibraybaut sitsho

    Kulungile, ukuba ndinenye iseva yeposi, ndingadlulisela ukugcwala kwabantu kwizibuko le-143 ukusuka kwiseva1 ukuya kwiseva2 kwaye ii-imeyile ziya kufikelela kwiseva2, akunjalo?

    Phendula nge quote

    1.    I-KZKG ^ iGaara sitsho

      Kwithiyori ewe, isebenza ngoluhlobo. Ngokuqinisekileyo, kufuneka ube neseva yeposi efakwe ngokufanelekileyo kwi-server2 🙂

  4.   msx sitsho

    Uhlobo lwezithuba esithanda ukuzifunda, enkosi!

  5.   UAbraham ibarra sitsho

    Inqaku elihle, ndineprojekthi endisebenza kuyo kwaye bendifuna ukukubuza umbuzo, kukho iitshintshi zeshishini ezinomsebenzi we-NAT (ndicinga ukuba zisebenzisa i-IPTables engezantsi), ukuguqula idilesi ye-IP ngaphandle kokwenza utshintsho kwizixhobo, umzekelo, ndineSeva 10.10.2.1 enxibelelana ne-10.10.2.X yeekhompyuter kwaye ngotshintsho icwangcisiwe ukuze ikhompyuter enedilesi 192.168.2.4 ibonakale kumncedisi njenge-10.10.2.5, iguqulele ukuba idilesi ye-IP ibonwe Ukusuka kwezinye iikhompyuter ezinedilesi, ndifuna ukuyenza ukusuka kwiseva enoBuntu okanye kolunye usasazo, ingaba yeyiphi imigaqo ye-iptables?

  6.   kuk sitsho

    Ulwazi oluhle kakhulu enkosi ^ _ ^

  7.   Yesu sitsho

    Mva
    Ndinengxaki yokuzama ukuqondisa kwakhona. Ndiyacacisa:
    Ndineseva yommeleli ku-Ubuntu, enamakhadi enethiwekhi ama-2:
    eth0 = 192.168.1.1 idityaniswe kuyo yonke inethiwekhi yendawo.
    eth1 = 192.168.2.2 iqhagamshelwe kwi-router.
    Ndidinga yonke into eza nge-eth0 ukuya kwi-eth1, kunye nommeli (ndisebenzisa i-squid, enezibuko elingagqibekanga elingu-3128), kwaye andifumani sitshixo kulungelelwaniso lwe-IPTABLES.
    Andifuni kuthintelwa kwalo naluphi na uhlobo, kuphela ukuba irekhodi lihlala kwilog yeedilesi zewebhu ezityelelweyo.

    Ndiyathemba ukuba ungandinceda njengoko ingumsebenzi onzima okhe wandikhathaza kangangeentsuku ezimbalwa.

    Enkosi kuwe.

  8.   UGabriel sitsho

    Sihlobo, ndimtsha kakhulu kwezinye iiseva, andinalwazi kodwa ndiyasiqonda isifundo kwaye ndifunda ngokukhawuleza, umbuzo wam ngulo ulandelayo ndinamaseva ama-2 serv_1 kunye ne-serv_2 endiqhagamshelene kwi-intranet efanayo, kwezi seva ndinayo eyam isindululo, Ndingathanda ukwenza oku kulandelayo:

    Uluhlu oluthile lwe-ips umzekelo rangeip_1 xa ufaka i-ip kwi-eyakho (ipowncloud) ijolise kwi-serv_1 kwaye ukuba yenye ye-rangeip_2 ibekwe efanayo i-ipowncloud ijolise kwi-serv_2, ukuze ii-server ezi-2 zibekwe kwizixeko ezibini ezahlukeneyo kwaye uluhlu lwe-IP lwahlukile kodwa zonke zikwinethiwekhi enye, inokuba yinxalenye yokuqala, eyesibini iya kucaca kukuvumelanisa ezi seva zimbini ukuze zibe zizipili okanye zindicebise oku ukuze wandise ububanzi band, nceda, ukuba uza kundichazela ukuba ungayenza njani inyathelo ngenyathelo ukuba ungangqineli imo yenkqubo = (

  9.   UAntonio Carrizosa sitsho

    Molo, nindixolele, ndinokutshintsha kokunxibelelana nazo zonke izixhobo ezenza uthungelwano lwam, kwaye emva koku i-firewall kwaye ekugqibeleni i-Intanethi iphume, kwenzeka ntoni kukuba ndingathanda ukuba i-redirection inikwe kwi tshintsha kwaye akunyanzelekanga ukuba ufike kwi-firewall ngaphandle kokuba inkonzo eceliweyo yi-intanethi.

  10.   juan sitsho

    Usebenzisa le ndlela ungayihambisa kwakhona i-HTTPS kwi-HTTP?

  11.   mati sitsho

    Molo, mhlawumbi sele kuhlwile, kodwa bendifuna ukukubuza, ndingayenza njani iScid ukuba ingaguquki i-IP yomthengi xa ndifuna ukunxibelelana neseva yewebhu kwinethiwekhi efanayo?

  12.   I-Lafat32 sitsho

    Sukundiphatha kakubi ngokubuza. Ngaba oku kunokwenziwa kwiWindows?

  13.   Martin sitsho

    Olu lwazi lube luncedo kum. Njengesiqhelo, nina bantu ninokuthenjwa, xa ndingafumani nto ngesiNgesi ndihlala ndiphela ndijonga ngeSpanish, ngezo zihlandlo ndiphantse ndize kule ndawo. Enkosi.

  14.   nguSebha sitsho

    Ndine-router ye-4G engumxhasi wenethiwekhi endingayiphathiyo (ngokucacileyo, ndingumxhasi) ... le ndlela yokungena kwinethiwekhi ekude nge-OpenVPN. Ukongeza, uthe i-router izalisekisa umsebenzi wokuthunyelwa kwe-portforward ukufikelela kwi-port 80 yomncedisi wenye yezo subnets kwintsimi.

    Esi yayisisibhengezo ekufuneka ndisibeke kwi-router njengomgaqo wesiko lomlilo "-t nat -A POSTROUTING -j MASQUERADE"

    Enkosi ngoncedo!