Qondisa kabusha ithrafikhi isuka ku-IP eyodwa ne-port iye kwenye i-IP nembobo

Okuthile okuvame kakhulu lapho kulawulwa amaseva kuqondisa kabusha ithrafikhi.

Ake sithi sine-server enezinsizakalo ezithile ezisebenzayo, kepha nganoma yisiphi isizathu sishintsha eyodwa yalezo zinsizakalo (Angazi, ngokwesibonelo i-pop3 okuyi-port 110) kwenye iseva. Into ejwayelekile futhi ejwayelekile kakhulu kungaba ukumane ushintshe i-IP kwirekhodi le-DNS, kepha uma othile ebesebenzisa i-IP esikhundleni sesizinda kuzothinteka.

Okufanele ngikwenze? ... elula, qondisa kabusha ithrafikhi etholwa iseva ngalelo chweba iye kwenye iseva enetheku elifanayo.

iseva-node-lan-ethernet

Siqala kanjani ukuqondisa kabusha ithrafikhi?

Into yokuqala ukuthi kufanele ngabe sinike amandla i- ukudlulisela phambili kuseva, kulokhu sizobeka okulandelayo:

echo "1" > /proc/sys/net/ipv4/ip_forward

Yonke imiyalo ekhonjisiwe kulesi sifundo kufanele yenziwe ngamalungelo okuphatha, ngincoma ukuthi yenziwe ngqo nomsebenzisi wezimpande.

Ungasebenzisa futhi lo omunye umyalo, uma owedlule ungakusebenzeli (kwenzeke kimi kanjena ku-CentOS):
sysctl net.ipv4.ip_forward=1
Ngemuva kwalokho sizoqala kabusha inethiwekhi:

service networking restart

Kuma-RPM distros afana ne-CentOS namanye, kungaba:

service nertwork restart

Manje sizoqhubekela entweni ebalulekile, sitshele iseva ngokusebenzisa iptables ozoqondisa kabusha:

iptables -t nat -A PREROUTING -p tcp --dport <puerto receptor> -j DNAT --to-destination <ip final>:<puerto de ip final>

Ngamanye amagama, nokulandela isibonelo engisishilo, ake sithi sifuna ukuqondisa kabusha wonke umgwaqo otholwa yiseva yethu ngetheku 110 uye kwenye iseva (isib: 10.10.0.2), Esazothola leyo traffic nge-110 (kuyinsizakalo efanayo):

iptables -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to-destination 10.10.0.2:110

Iseva engu-10.10.0.2 izobona ukuthi wonke amaphakethe noma izicelo zivela ku-IP yeklayenti, uma kwenzeka zifuna ukubhukuda izicelo, okungukuthi, ukuthi iseva yesi-2 ibona ukuthi izicelo zifika ne-IP yeseva yokuqala (naku- esikusebenzisa ukuqondiswa kabusha), futhi kungaba ukubeka lo mugqa wesibili:

iptables -t nat -A POSTROUTING -j MASQUERADE

Eminye imibuzo nezimpendulo

Esibonelweni ngisebenzise itheku elifanayo kuzona zombili lezi zikhathi (110), kepha-ke bangakwazi ukuqondisa kabusha ithrafikhi ukusuka kwelinye itheku kuya kwelinye ngaphandle kwezinkinga. Isibonelo, ake sithi ngifuna ukuqondisa kabusha ithrafikhi isuke ethekwini 80 iye ku-443 kwenye iseva, ngoba lokhu kungaba:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.0.2:443

Yilokho iptables, bangasebenzisa yonke eminye imingcele esiyaziyo, ngokwesibonelo, uma sifuna kuphela ukuqondisa kabusha ithrafikhi kusuka ku-IP ethile, kungaba ngokungeza -s … Isibonelo ngizoqondisa kabusha kuphela ithrafikhi evela ku-10.10.0.51:

iptables -t nat -A PREROUTING -p tcp -s 10.10.0.51 --dport 80 -j DNAT --to-destination 10.10.0.2:443

Noma inethiwekhi yonke (/ 24):

iptables -t nat -A PREROUTING -p tcp -s 10.10.0.0/24 --dport 80 -j DNAT --to-destination 10.10.0.2:443

Futhi singacacisa isikhombimsebenzisi senethiwekhi nge -i :

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination 10.10.0.2:443

Isiphetho!

Lokhu njengoba sengishilo vele, ngama-iptables, ungafaka lokho osekuvele kwaziwa ukuze iseva yenze ngqo lokho ofuna ikwenze

Ukubingelela!

I-DedicatedServer_SubImage


Amazwana ayi-20, shiya okwakho

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.

  1.   U-Fer kusho

    Singakwenza futhi lokhu kusuka ku-firewall evumela ukudluliselwa kwetheku, akunjalo? (ukusebenzisa imithetho ehambisanayo).

    1.    KZKG ^ Gaara kusho

      Yebo kunjalo, ekugcineni i-firewall efana ne-Pfsense noma abanye, sebenzisa ama-iptables ngemuva.

      1.    isihlibhi kusho

        Ukucacisa i-pfsense ayisebenzisi i-iptables kepha i-pf, khumbula ukuthi iyi-bsd ngaphakathi.

        1.    KZKG ^ Gaara kusho

          Kulungile, kubi kwami!

  2.   Nicolas kusho

    Ngiyabonga kakhulu ngethiphu 🙂

    Nginokungabaza okumbalwa:
    1 - Ingabe ushintsho luhlala njalo? noma ilahlekile lapho uqala kabusha iseva?
    2 - Nginezimo eziningi (yisho u-A, B, no-C) ku-subnet efanayo. Isibonelo i-A ngisebenzisa umthetho ukuhambisa ithrafikhi ku-IP yangaphandle, nokuhlola ngama-curls kusuka ezimweni B no-C, konke kusebenza izimanga. Inkinga ukuthi ngokwesibonelo A ayisebenzi. Ngizamile ukusebenzisa i-ip yakho ne-interface ye-loopback, futhi ayisebenzi:
    $ iptables -t nat -A PROUTOUTING -p tcp –dport 8080 -j DNAT –to-destination xxxx: 8080
    $ iptables -t nat -A PROUTOUTING -p tcp -i lo –dport 8080 -j DNAT –to-ukuphela xxxx: 8080

    $ curl ip-yyyy: 8080 / hello_world
    i-curl: (7) Yehlulekile ukuxhuma ku-ip-yyyy port 8080: Uxhumano lunqatshiwe
    $ curl indawo yasekhaya: 8080 / hello_world
    i-curl: (7) Yehlulekile ukuxhuma ethekwini lasendaweni lendawo 8080: Ukuxhumeka kunqatshiwe

    Noma yimuphi umbono ukuthi inkinga ingaba yini?

    1.    KZKG ^ Gaara kusho

      Yebo, ushintsho lulahlekile ekuqaliseni kabusha, kuzofanele usebenzise ama-iptables-save & iptables-restore noma okunye okunjalo ukugwema lokho.
      Angiqondanga kahle ukuthi ufuna ukwenzani, isibonelo A?

      1.    Nicolas kusho

        Ngineseva esekela ukuxhumana kuphela kusuka ku-ip ethile (i-server A's), angikwazi noma ngifuna ukufaka ama-ips amaningi ku-whitelist (yezinkinga zokwehla), ngakho-ke ngifuna wonke umgwaqo oya kuseva yangaphandle adlule kuwo kusho iseva (A).
        Njengokusebenziseka, nginezilungiselelo zomhlaba ezichaza ukuthi iyiphi i-IP engizoyisebenzisela insizakalo ngayinye, ngakho-ke kulokhu kuyinto efana nokuthi "wonke umuntu ofuna ukusebenzisa insizakalo yangaphandle, kufanele asebenzise i-IP A"
        Lokhu kufezekiswe ngempumelelo kusetshenziswa indlela ekule ndatshana, kepha ngingena enkingeni yokuthi lapho ngiyisebenzisa, i-server A ayikwazi ukufinyelela kule nsizakalo isebenzisa i-ip yayo (kepha wonke amanye amaseva enza).
        Kuze kube manje okungcono engikutholile bekungeze ukufaka imephu kufayela le-A's / etc / hosts, kukhombe i-ip yangaphandle, kudlula ukusethwa komhlaba.

  3.   i-braybaut kusho

    Kuhle kakhulu, uma nginenye i-mail server engangidlulisela kuyo ithrafikhi isuka ethekwini 143 isuka kwiseva1 iye kwiseva2 nama-imeyili azongifinyelela kuseva2, akunjalo?

    Phendula ngokucaphuna

    1.    KZKG ^ Gaara kusho

      Ngomqondo yebo, kusebenza kanjena. Impela, kufanele ube neseva yeposi efakwe kahle kuseva2 🙂

  4.   msx kusho

    Uhlobo lokuthunyelwe esithanda ukukufunda, ngiyabonga!

  5.   u-abraham ibarra kusho

    I-athikili enhle kakhulu, nginephrojekthi engisebenza kuyo futhi bengifuna ukukubuza umbuzo, kukhona ukushintshwa kwezimboni ngomsebenzi we-NAT (ngicabanga ukuthi basebenzisa ama-IPTables ngezansi), ukuhumusha ikheli le-IP ngaphandle kokwenza ushintsho entweni yokusebenza, isibonelo, ngine-Server 10.10.2.1 exhumana namakhompyutha ayi-10.10.2.X futhi ngokusebenzisa iswishi ihlelwe ukuze ikhompyutha enekheli 192.168.2.4 ibonakale kusuka kuseva njengo-10.10.2.5, ihumushe lelo kheli le-IP ukuze libonwe Kusuka kwamanye amakhompyutha analelo kheli, ngifuna ukukwenza kusuka kuseva eno-Ubuntu noma okunye ukusatshalaliswa, kungaba yini imithetho ye-iptables?

  6.   kuk kusho

    Ulwazi oluhle kakhulu ngiyabonga ^ _ ^

  7.   yesa kusho

    Kuhle ntambama
    Nginenkinga yokuzama ukuqondisa kabusha. Ngiyachaza:
    Ngineseva elibambayo ku-Ubuntu, enamakhadi enethiwekhi ama-2:
    i-eth0 = 192.168.1.1 ixhunywe kuyo yonke inethiwekhi yendawo.
    i-eth1 = 192.168.2.2 ixhunywe ku-router.
    Ngidinga konke okuza nge-eth0 ukudlula ku-eth1, nangommeleli (ngisebenzisa i-Squid, itheku layo elizenzakalelayo lingu-3128), futhi angikwazi ukuthola ukhiye ekucushweni kwe-IPTABLES.
    Angidingi ukuvinjelwa kwanoma yiluphi uhlobo, kuphela ukuthi irekhodi lihlala kulogi yamakheli ewebhu avakashelwayo.

    Ngiyethemba ungangisiza njengoba kuwumsebenzi onzima obelokhu ungikhathaza izinsuku ezimbalwa.

    Ngiyabonga

  8.   Gabriel kusho

    Mngani, ngisemusha kakhulu kwamanye amaseva, angazi kodwa ngiyasiqonda isihloko futhi ngifunda ngokushesha, umbuzo wami olandelayo nginezinsiza ezi-2 serv_1 ne-serv_2 engizixhume kwi-intranet efanayo, kulawa maseva ngine -cloudclub yami Ngingathanda ukwenza okulandelayo:

    ukuthi uhla oluthile lwama-ips ngokwesibonelo u-rangeip_1 lapho ufaka i-ip yokungena ku-owncloud (ipowncloud) iqondiswe ku-serv_1 futhi uma kungenye i-rangeip_2 efakwe i-ipowncloud efanayo iqondiswe ku-serv_2, lokhu ukuze amaseva ama-2 atholakala emadolobheni amabili ahlukene nezikhala ze-ip zehlukile kepha zonke zikunethiwekhi efanayo, lokho kungaba yingxenye yokuqala, okwesibili kuzocaca ukuvumelanisa la maseva ama-2 ukuze abe yizibuko noma ukuthi angicebise lokhu ukuze ngenze ububanzi ububanzi band, ngicela, uma uzongichazela ukuthi ungayenza kanjani igxathu negxathu hhayi i-super programmer mode = (

  9.   U-Antonio Carrizosa kusho

    Sawubona, ngiyaxolisa, ngine-switch ephethe ukuxhumana kwawo wonke amadivayisi akha inethiwekhi yami, futhi ngemuva kwalokhu i-firewall futhi ekugcineni ukuphuma kwe-Intanethi, okwenzekayo ukuthi ngingathanda ukuthi ukuqondiswa kabusha kunikezwe switch futhi akudingeki ukuthi ifinyelele ku-firewall ngaphandle kokuthi insizakalo eceliwe i-inthanethi.

  10.   I-juan kusho

    Usebenzisa le ndlela ungaqondisa kabusha i-HTTPS ku-HTTP?

  11.   mati kusho

    Sawubona, mhlawumbe sekwephuze kancane, kepha bengifuna ukukubuza, kufanele ngenze kanjani ukuthi i-squid ingaguquli i-IP yeklayenti lapho ngifuna ukuxhuma kuseva yewebhu kunethiwekhi efanayo?

  12.   I-Lafat32 kusho

    Ungangiphathi kabi ngokubuza. Ngabe lokhu kungenziwa kuWindows?

  13.   Martin kusho

    Lolu lwazi lube wusizo kimi. Njengenjwayelo, nina bantu niyathenjwa, lapho ngingatholi lutho ngesiNgisi ngivame ukugcina ngibheka ngeSpanishi, kulezo zikhathi ngivame ukufika kule sayithi. Ngiyabonga.

  14.   nguSebha kusho

    Nginerutha ye-4G eyiklayenti lenethiwekhi engingayiphathi (ngokusobala, ngiyiklayenti)... le router iyisango laleyo nethiwekhi yesilawuli kude nge-OpenVPN. Ngaphezu kwalokho, umzila oshiwo ufeza umsebenzi wokuthumela i-portforward ukufinyelela i-port 80 yeseva yeyodwa yalawo ma-subnets ensimini.

    Lesi kwakuyisimemezelo okufanele ngisifake ku-router njengomthetho wangokwezifiso we-firewall «-t nat -A POSTROUTING -j MASQUERADE»

    Siyabonga ngosizo!