码迷,mamicode.com
首页 > 其他好文 > 详细

iptables实现反向代理(2)

时间:2017-03-06 17:33:29      阅读:654      评论:0      收藏:0      [点我收藏+]

标签:server   capture   client   routing   src   apt   dna   dnat   net   

简介

Client: 192.168.189.149

Proxy: 172.19.222.16

RealServer: 192.100.13.203

 

拓扑图

技术分享

 

实验

一、(对应拓扑图中的列1)

配置

-A PREROUTING -p tcp -d 172.19.222.16/32 --dport 3389 -j DNAT --to-destination 192.100.13.203:3389
-A POSTROUTING -j MASQUERADE

抓包分析(Client: nc -w2 -t -v 172.19.222.16 3389 Proxy: tcpdump -nn port 3389)

[root@tv_proxy ~]# tcpdump -nn port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:37:06.476695 IP 192.168.189.149.58685 > 172.19.222.16.3389: Flags [S], seq 1226688947, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788372890 ecr 0,sackOK,eol], length 0
01:37:06.476765 IP 172.19.222.16.58685 > 192.100.13.203.3389: Flags [S], seq 1226688947, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788372890 ecr 0,sackOK,eol], length 0
01:37:06.483030 IP 192.100.13.203.3389 > 172.19.222.16.58685: Flags [S.], seq 3555435495, ack 1226688948, win 8192, options [mss 1448,nop,wscale 8,sackOK,TS val 1118072622 ecr 788372890], length 0
01:37:06.483093 IP 172.19.222.16.3389 > 192.168.189.149.58685: Flags [S.], seq 3555435495, ack 1226688948, win 8192, options [mss 1448,nop,wscale 8,sackOK,TS val 1118072622 ecr 788372890], length 0
01:37:06.487023 IP 192.168.189.149.58685 > 172.19.222.16.3389: Flags [.], ack 1, win 4106, options [nop,nop,TS val 788372901 ecr 1118072622], length 0
01:37:06.487040 IP 172.19.222.16.58685 > 192.100.13.203.3389: Flags [.], ack 1, win 4106, options [nop,nop,TS val 788372901 ecr 1118072622], length 0
01:37:08.503085 IP 192.168.189.149.58685 > 172.19.222.16.3389: Flags [F.], seq 1, ack 1, win 4106, options [nop,nop,TS val 788374912 ecr 1118072622], length 0
01:37:08.503129 IP 172.19.222.16.58685 > 192.100.13.203.3389: Flags [F.], seq 1, ack 1, win 4106, options [nop,nop,TS val 788374912 ecr 1118072622], length 0
01:37:08.503704 IP 192.100.13.203.3389 > 172.19.222.16.58685: Flags [.], ack 2, win 259, options [nop,nop,TS val 1118072824 ecr 788374912], length 0
01:37:08.503729 IP 172.19.222.16.3389 > 192.168.189.149.58685: Flags [.], ack 2, win 259, options [nop,nop,TS val 1118072824 ecr 788374912], length 0

验证了IP包的(拓扑图中列1 (1) -> (2) ->(3) ->(4) )走向

 

二、(对应拓扑图中的列2)

配置

-A PREROUTING -p tcp -d 172.19.222.16/32 --dport 3389 -j DNAT --to-destination 192.100.13.203:3389

抓包分析(Client: nc -w2 -t -v 172.19.222.16 3389 )

Proxy: tcpdump -nn port 3389

[root@tv_proxy ~]# tcpdump -nn port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:33:07.135139 IP 192.168.189.149.58678 > 172.19.222.16.3389: Flags [S], seq 532017972, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788133903 ecr 0,sackOK,eol], length 0
01:33:07.135227 IP 192.168.189.149.58678 > 192.100.13.203.3389: Flags [S], seq 532017972, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788133903 ecr 0,sackOK,eol], length 0

RealServer: tcpdump -nn port 3389


[root@fortress ~]# tcpdump -i ens192 -nn port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 65535 bytes
01:46:13.647774 IP 192.168.189.149.58678 > 192.100.13.203.3389: Flags [S], seq 20768373, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788919097 ecr 0,sackOK,eol], length 0
01:46:13.647846 IP 192.100.13.203.3389 > 192.168.189.149.58678: Flags [S.], seq 752203413, ack 20768374, win 14480, options [mss 1460,sackOK,TS val 1766913754 ecr 788919097,nop,wscale 7], length 0

 

 

iptables实现反向代理(2)

标签:server   capture   client   routing   src   apt   dna   dnat   net   

原文地址:http://www.cnblogs.com/metasequoia/p/6510758.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!