iptables实现反向代理（2）

时间：2017-03-06 17:33:29 阅读：654 评论：0 收藏：0 [点我收藏+]

标签：server capture client routing src apt dna dnat net

简介

Client: 192.168.189.149

Proxy: 172.19.222.16

RealServer: 192.100.13.203

拓扑图

技术分享

实验

一、（对应拓扑图中的列1)

配置

-A PREROUTING -p tcp -d 172.19.222.16/32 --dport 3389 -j DNAT --to-destination 192.100.13.203:3389
-A POSTROUTING -j MASQUERADE

抓包分析（Client: nc -w2 -t -v 172.19.222.16 3389 Proxy: tcpdump -nn port 3389）

[root@tv_proxy ~]# tcpdump -nn port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:37:06.476695 IP 192.168.189.149.58685 > 172.19.222.16.3389: Flags [S], seq 1226688947, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788372890 ecr 0,sackOK,eol], length 0
01:37:06.476765 IP 172.19.222.16.58685 > 192.100.13.203.3389: Flags [S], seq 1226688947, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788372890 ecr 0,sackOK,eol], length 0
01:37:06.483030 IP 192.100.13.203.3389 > 172.19.222.16.58685: Flags [S.], seq 3555435495, ack 1226688948, win 8192, options [mss 1448,nop,wscale 8,sackOK,TS val 1118072622 ecr 788372890], length 0
01:37:06.483093 IP 172.19.222.16.3389 > 192.168.189.149.58685: Flags [S.], seq 3555435495, ack 1226688948, win 8192, options [mss 1448,nop,wscale 8,sackOK,TS val 1118072622 ecr 788372890], length 0
01:37:06.487023 IP 192.168.189.149.58685 > 172.19.222.16.3389: Flags [.], ack 1, win 4106, options [nop,nop,TS val 788372901 ecr 1118072622], length 0
01:37:06.487040 IP 172.19.222.16.58685 > 192.100.13.203.3389: Flags [.], ack 1, win 4106, options [nop,nop,TS val 788372901 ecr 1118072622], length 0
01:37:08.503085 IP 192.168.189.149.58685 > 172.19.222.16.3389: Flags [F.], seq 1, ack 1, win 4106, options [nop,nop,TS val 788374912 ecr 1118072622], length 0
01:37:08.503129 IP 172.19.222.16.58685 > 192.100.13.203.3389: Flags [F.], seq 1, ack 1, win 4106, options [nop,nop,TS val 788374912 ecr 1118072622], length 0
01:37:08.503704 IP 192.100.13.203.3389 > 172.19.222.16.58685: Flags [.], ack 2, win 259, options [nop,nop,TS val 1118072824 ecr 788374912], length 0
01:37:08.503729 IP 172.19.222.16.3389 > 192.168.189.149.58685: Flags [.], ack 2, win 259, options [nop,nop,TS val 1118072824 ecr 788374912], length 0

验证了IP包的（拓扑图中列1 (1) -> (2) ->(3) ->(4) ）走向

二、（对应拓扑图中的列2）

配置

-A PREROUTING -p tcp -d 172.19.222.16/32 --dport 3389 -j DNAT --to-destination 192.100.13.203:3389

抓包分析（Client: nc -w2 -t -v 172.19.222.16 3389 ）

Proxy: tcpdump -nn port 3389

[root@tv_proxy ~]# tcpdump -nn port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:33:07.135139 IP 192.168.189.149.58678 > 172.19.222.16.3389: Flags [S], seq 532017972, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788133903 ecr 0,sackOK,eol], length 0
01:33:07.135227 IP 192.168.189.149.58678 > 192.100.13.203.3389: Flags [S], seq 532017972, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788133903 ecr 0,sackOK,eol], length 0

RealServer: tcpdump -nn port 3389

[root@fortress ~]# tcpdump -i ens192 -nn port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 65535 bytes
01:46:13.647774 IP 192.168.189.149.58678 > 192.100.13.203.3389: Flags [S], seq 20768373, win 65535, options [mss 1240,nop,wscale 5,nop,nop,TS val 788919097 ecr 0,sackOK,eol], length 0
01:46:13.647846 IP 192.100.13.203.3389 > 192.168.189.149.58678: Flags [S.], seq 752203413, ack 20768374, win 14480, options [mss 1460,sackOK,TS val 1766913754 ecr 788919097,nop,wscale 7], length 0

iptables实现反向代理（2）

标签：server capture client routing src apt dna dnat net

原文地址：http://www.cnblogs.com/metasequoia/p/6510758.html

踩

(0)

评论一句话评论（0）

分享档案

更多>

2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)

周排行