Into eqheleke kakhulu xa ulawula iiseva iqondisa ukugcwala kwabantu.
Masithi sineseva esineenkonzo ezithile ezisebenzayo, kodwa nangasiphi na isizathu sitshintsha enye yezo nkonzo (Andazi, umzekelo pop3 olizibuko le-110) kwenye iseva. Into eqhelekileyo kunye neyona nto ixhaphakileyo kukutshintsha nje i-IP kwirekhodi ye-DNS, nangona kunjalo ukuba umntu othile usebenzisa i-IP endaweni ye-subdomain iya kuchaphazeleka.
Kwenziwe ntoni? ... ngokulula, yisa kwakhona ukugcwala kwendlela efunyanwa nguloo port ukuya kwenye iseva enezibuko elifanayo.
Siqala njani ukuhambisa kwakhona ukugcwala kwabantu?
Into yokuqala kukuba kufuneka sikwazi ukwenza ukugqithisa kwiseva, koku siza kubeka oku kulandelayo:
echo "1" > /proc/sys/net/ipv4/ip_forward
Ungawusebenzisa lo myalelo, ukuba owangaphambili awusebenzi kuwe (kwenzeke kum ngolu hlobo kwi-CentOS):
sysctl net.ipv4.ip_forward=1
Emva koko siya kuqalisa kwakhona inethiwekhi:
service networking restart
Kwi-RPM distros njenge-CentOS kunye nezinye, iya kuba:
service nertwork restart
Ngoku siza kuqhubela phambili kwinto ebalulekileyo, xelela umncedisi iptables Uqondisa ntoni kwakhona:
iptables -t nat -A PREROUTING -p tcp --dport <puerto receptor> -j DNAT --to-destination <ip final>:<puerto de ip final>
Ngamanye amagama, kwaye silandela umzekelo endiwukhankanyileyo, masithi sifuna ukuhambisa zonke izithuthi ezifunyanwa yiseva yethu ngezibuko le-110 ukuya kwenye iseva (umz: 10.10.0.2), Esaya kufumana eso sigxina nge-110 (yinkonzo enye):
iptables -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to-destination 10.10.0.2:110
Iseva ye-10.10.0.2 iya kubona ukuba zonke iipakethi okanye izicelo zivela kwi-IP yomthengi, kwimeko apho bafuna ukuqubha izicelo, oko kukuthi, ukuba umncedisi wesibini abone ukuba izicelo zifika nge-IP yeserver yokuqala (nakwi esikusebenzisa ukuphinda ungene kwakhona), iya kuba kukubeka lo mgca wesibini:
iptables -t nat -A POSTROUTING -j MASQUERADE
Eminye imibuzo kunye neempendulo
Kumzekelo ndisebenzise izibuko elifanayo amaxesha omabini (110), nangona kunjalo banakho ukuhambisa ukugcwala kwabantu ukusuka kwelinye izibuko ukuya kwelinye ngaphandle kweengxaki. Umzekelo, masithi ndifuna ukuhambisa kwakhona ukugcwala kwabantu kwizibuko 80 ukuya ku-443 kwenye iseva, kuba oku kunokuba koku:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.0.2:443
Oku iptables, Banokusebenzisa zonke ezinye iiparameter esizaziyo, umzekelo, ukuba sifuna ukuhambisa kuphela itrafikhi kwi-IP ethile, iya kuba ngokongeza -s … Umzekelo ndiza kuthumela kuphela ukugcwala kwabantu okuvela ngo-10.10.0.51:
iptables -t nat -A PREROUTING -p tcp -s 10.10.0.51 --dport 80 -j DNAT --to-destination 10.10.0.2:443
Okanye inethiwekhi iyonke (/ 24):
iptables -t nat -A PREROUTING -p tcp -s 10.10.0.0/24 --dport 80 -j DNAT --to-destination 10.10.0.2:443
Singacacisa ujongano lwenethiwekhi nge -i :
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination 10.10.0.2:443
Isiphelo!
Oku besesitshilo, zii-iptables, ungafaka isicelo esele saziwa ukuze iserver yenze kanye le nto ufuna ukuyenza
Nibuliso!
Singakwenza oku kwi-firewall evumela ukuhanjiswa kwezibuko, akunjalo? (ukusebenzisa imigaqo ehambelana nayo).
Ewe kunjalo, ekugqibeleni i-firewall enjengePfsense okanye abanye, sebenzisa iptables ngasemva.
Ukuchaneka, i-pfsense ayizisebenzisi ii-iptables kodwa pf, khumbula ukuba yi-bsd ngaphakathi.
Kulungile, kubi kwam!
Enkosi kakhulu ngencam 🙂
Ndineentandabuzo ezimbalwa:
1 - Ngaba utshintsho luyisigxina? okanye ilahlekile xa uqala kabusha iseva?
2-Ndinezihlandlo ezininzi (yithi A, B, kunye no-C) kwi-subnet efanayo. Umzekelo A ndisebenzisa umthetho wokuhambisa i-traffic kwi-IP yangaphandle, kunye nokuvavanywa ngee-curls ezivela kwiimeko B no-C, yonke into isebenza ngokumangalisayo. Ingxaki kukuba kwimeko A ayisebenzi. Ndizamile ukusebenzisa zombini i-ip kunye ne-loopback interface, kwaye ayisebenzi:
$ iptables -t nat -A UKUFUNDA -p tcp -ukunika ingxelo 8080 -j DNAT -ukuya-xxxx: 8080
$ iptables -t nat -A UKUFUNDA -p tcp -i lo-ingxelo 8080 -j DNAT -ukuya-xxxx: 8080
$ curl ip-yyyy: 8080 / hello_world
i-curl: (7) Ayiphumelelanga ukuqhagamshela kwi-ip-yyyy port 8080: Unxibelelwano lwaliwe
$ curl yendawo yokuhlala: 8080 / hello_world
i-curl: (7) Ayiphumelelanga ukuqhagamshela kwiziko lendawo yokubala i-8080: Unxibelelwano laliwe
Naluphi na uluvo lokuba ingaba yintoni ingxaki?
Ewe, utshintsho luyalahleka ekuqaliseni kwakhona, kuya kufuneka usebenzise iptables-gcina kunye neeptables-ukubuyisela okanye into enjalo ukuyikhusela.
Khange ndiyiqonde kakuhle into ofuna ukuyenza, umzekelo A?
Ndineseva exhasa kuphela unxibelelwano oluvela kwi-ip ethile (i-server A's), andikwazi okanye ndifuna ukongeza ii-ips kwincwadi emhlophe (yemicimbi yokuma), ke ndifuna zonke izithuthi ziseva zangaphandle zidlule utshilo umncedisi (A).
Ngombandela wokusebenziseka, ndinolungelelwaniso lwehlabathi oluchaza ukuba yeyiphi i-IP eza kusetyenziswa kwinkonzo nganye, ke kule meko yinto efana "nomntu wonke ofuna ukusebenzisa inkonzo yangaphandle kufuneka asebenzise i-IP A"
Ndikuphumelele ngempumelelo le ndlela isebenzisa eli nqaku, kodwa ndingena engxakini xa ndiyisebenzisa, iseva A ayinakho ukufikelela kwinkonzo isebenzisa eyayo ip (kodwa zonke ezinye iiseva ziyayenza).
Ukuza kuthi ga ngoku eyona nto ndiyifumeneyo kukongeza imephu kwiseva ye-A / njl / yemikhosi yefayile, yalatha kwi-ip yangaphandle, ibeka ngaphezulu useto lwehlabathi.
Kulungile, ukuba ndinenye iseva yeposi, ndingadlulisela ukugcwala kwabantu kwizibuko le-143 ukusuka kwiseva1 ukuya kwiseva2 kwaye ii-imeyile ziya kufikelela kwiseva2, akunjalo?
Phendula nge quote
Kwithiyori ewe, isebenza ngoluhlobo. Ngokuqinisekileyo, kufuneka ube neseva yeposi efakwe ngokufanelekileyo kwi-server2 🙂
Uhlobo lwezithuba esithanda ukuzifunda, enkosi!
Inqaku elihle, ndineprojekthi endisebenza kuyo kwaye bendifuna ukukubuza umbuzo, kukho iitshintshi zeshishini ezinomsebenzi we-NAT (ndicinga ukuba zisebenzisa i-IPTables engezantsi), ukuguqula idilesi ye-IP ngaphandle kokwenza utshintsho kwizixhobo, umzekelo, ndineSeva 10.10.2.1 enxibelelana ne-10.10.2.X yeekhompyuter kwaye ngotshintsho icwangcisiwe ukuze ikhompyuter enedilesi 192.168.2.4 ibonakale kumncedisi njenge-10.10.2.5, iguqulele ukuba idilesi ye-IP ibonwe Ukusuka kwezinye iikhompyuter ezinedilesi, ndifuna ukuyenza ukusuka kwiseva enoBuntu okanye kolunye usasazo, ingaba yeyiphi imigaqo ye-iptables?
Ulwazi oluhle kakhulu enkosi ^ _ ^
Mva
Ndinengxaki yokuzama ukuqondisa kwakhona. Ndiyacacisa:
Ndineseva yommeleli ku-Ubuntu, enamakhadi enethiwekhi ama-2:
eth0 = 192.168.1.1 idityaniswe kuyo yonke inethiwekhi yendawo.
eth1 = 192.168.2.2 iqhagamshelwe kwi-router.
Ndidinga yonke into eza nge-eth0 ukuya kwi-eth1, kunye nommeli (ndisebenzisa i-squid, enezibuko elingagqibekanga elingu-3128), kwaye andifumani sitshixo kulungelelwaniso lwe-IPTABLES.
Andifuni kuthintelwa kwalo naluphi na uhlobo, kuphela ukuba irekhodi lihlala kwilog yeedilesi zewebhu ezityelelweyo.
Ndiyathemba ukuba ungandinceda njengoko ingumsebenzi onzima okhe wandikhathaza kangangeentsuku ezimbalwa.
Enkosi kuwe.
Sihlobo, ndimtsha kakhulu kwezinye iiseva, andinalwazi kodwa ndiyasiqonda isifundo kwaye ndifunda ngokukhawuleza, umbuzo wam ngulo ulandelayo ndinamaseva ama-2 serv_1 kunye ne-serv_2 endiqhagamshelene kwi-intranet efanayo, kwezi seva ndinayo eyam isindululo, Ndingathanda ukwenza oku kulandelayo:
Uluhlu oluthile lwe-ips umzekelo rangeip_1 xa ufaka i-ip kwi-eyakho (ipowncloud) ijolise kwi-serv_1 kwaye ukuba yenye ye-rangeip_2 ibekwe efanayo i-ipowncloud ijolise kwi-serv_2, ukuze ii-server ezi-2 zibekwe kwizixeko ezibini ezahlukeneyo kwaye uluhlu lwe-IP lwahlukile kodwa zonke zikwinethiwekhi enye, inokuba yinxalenye yokuqala, eyesibini iya kucaca kukuvumelanisa ezi seva zimbini ukuze zibe zizipili okanye zindicebise oku ukuze wandise ububanzi band, nceda, ukuba uza kundichazela ukuba ungayenza njani inyathelo ngenyathelo ukuba ungangqineli imo yenkqubo = (
Molo, nindixolele, ndinokutshintsha kokunxibelelana nazo zonke izixhobo ezenza uthungelwano lwam, kwaye emva koku i-firewall kwaye ekugqibeleni i-Intanethi iphume, kwenzeka ntoni kukuba ndingathanda ukuba i-redirection inikwe kwi tshintsha kwaye akunyanzelekanga ukuba ufike kwi-firewall ngaphandle kokuba inkonzo eceliweyo yi-intanethi.
Usebenzisa le ndlela ungayihambisa kwakhona i-HTTPS kwi-HTTP?
Molo, mhlawumbi sele kuhlwile, kodwa bendifuna ukukubuza, ndingayenza njani iScid ukuba ingaguquki i-IP yomthengi xa ndifuna ukunxibelelana neseva yewebhu kwinethiwekhi efanayo?
Sukundiphatha kakubi ngokubuza. Ngaba oku kunokwenziwa kwiWindows?
Olu lwazi lube luncedo kum. Njengesiqhelo, nina bantu ninokuthenjwa, xa ndingafumani nto ngesiNgesi ndihlala ndiphela ndijonga ngeSpanish, ngezo zihlandlo ndiphantse ndize kule ndawo. Enkosi.
Ndine-router ye-4G engumxhasi wenethiwekhi endingayiphathiyo (ngokucacileyo, ndingumxhasi) ... le ndlela yokungena kwinethiwekhi ekude nge-OpenVPN. Ukongeza, uthe i-router izalisekisa umsebenzi wokuthunyelwa kwe-portforward ukufikelela kwi-port 80 yomncedisi wenye yezo subnets kwintsimi.
Esi yayisisibhengezo ekufuneka ndisibeke kwi-router njengomgaqo wesiko lomlilo "-t nat -A POSTROUTING -j MASQUERADE"
Enkosi ngoncedo!