我有两台服务器:
服务器 1 的 IP 地址为 10.8.0.1
服务器 2 的 IP 地址为 10.8.0.6
我希望服务器 2 作为托管在服务器 1 上的网站的代理。因此我使用以下命令:
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.8.0.1:443
sudo iptables -t nat -A POSTROUTING -p tcp -d 10.8.0.1 --dport 443 -j SNAT --to-source 10.8.0.6
但是,上述设置不起作用,因为我无法浏览网站。而且,telnet 10.8.0.6 443
没有产生输出。
答案1
我有一个在我的 LAN 上运行的示例,但根据评论,它可能无法解决您的问题。:
来自 192.168.111.122 到 192.168.111.136 的 Web 流量被转发到 192.168.111.1。来自 192.168.111.1 的回复沿相反路径返回 192.168.111.122。后者认为数据包来自 192.168.111.136。
doug@s19:~/iptables/misc$ sudo tcpdump -n -tttt -i br0 not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
2021-12-19 15:57:47.389745 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [S], seq 1692549099, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
2021-12-19 15:57:47.389760 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [S], seq 1692549099, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
2021-12-19 15:57:47.390055 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [S.], seq 1478028943, ack 1692549100, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-12-19 15:57:47.390062 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [S.], seq 1478028943, ack 1692549100, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
2021-12-19 15:57:47.390301 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [.], ack 1, win 1026, length 0
2021-12-19 15:57:47.390306 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [.], ack 1, win 1026, length 0
2021-12-19 15:57:47.396847 IP 192.168.111.122.51683 > 192.168.111.136.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
2021-12-19 15:57:47.396852 IP 192.168.111.136.51683 > 192.168.111.1.443: Flags [P.], seq 1:518, ack 1, win 1026, length 517
2021-12-19 15:57:47.397080 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [.], ack 518, win 501, length 0
2021-12-19 15:57:47.397085 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [.], ack 518, win 501, length 0
2021-12-19 15:57:47.400934 IP 192.168.111.1.443 > 192.168.111.136.51683: Flags [P.], seq 1:1629, ack 518, win 501, length 1628
2021-12-19 15:57:47.400941 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [.], seq 1:1461, ack 518, win 501, length 1460
2021-12-19 15:57:47.400942 IP 192.168.111.136.443 > 192.168.111.122.51683: Flags [P.], seq 1461:1629, ack 518, win 501, length 168
iptables 规则是通过我的测试计算机上的脚本加载的:
doug@s19:~/iptables/misc$ cat ask1382639
#!/bin/sh
FWVER=0.01
#
# ask1382639 Smythies 2021.12.18 Ver:0.01
# See here:
# https://askubuntu.com/questions/1382639
#
# run as sudo on s19.
#
# Note: These rules might need to be merged with
# any existing iptables rules set.
echo "Loading ask1382639 rule set version $FWVER..\n"
# The location of the iptables program
#
IPTABLES=/sbin/iptables
#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
# Smythies (for testing)
EXTIF="br0"
EXTIP="192.168.111.136"
REDIRECTIP="192.168.111.1"
NETWORK="192.168.111.0/24"
UNIVERSE="0.0.0.0/0"
#
# For the actual servers of the question
#
#EXTIF="UNKNOWN"
#EXTIP="10.8.0.6"
#REDIRECTIP="10.8.0.1"
#NETWORK="10.8.0.0/24" ASSUMED, ACTUALLY UNKNOWN
#UNIVERSE="0.0.0.0/0"
#CRITICAL: Enable IP forwarding since it is disabled by default
#
echo Enabling forwarding...
echo "1" > /proc/sys/net/ipv4/ip_forward
# Clearing any previous configuration
# Be careful here. I can do this on s19, but do not know
# about Admia's servers.
#
echo " Clearing any existing rules and setting default policies.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# Delete user defined chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
# Smythies: While my references do not have it, I think this is needed.
$IPTABLES -t nat -Z
# First: redirect port 443 traffic to the other server.
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 443 -j DNAT --to $REDIRECTIP
# Second: The desination needs to know what IP address to reply to.
$IPTABLES -t nat -A POSTROUTING -p tcp -o $EXTIF --dport 443 -d $REDIRECTIP -j SNAT --to $EXTIP
echo ask1382639 rule set version $FWVER done.
和:
doug@s19:~/iptables/misc$ sudo iptables -t nat -xvnL
Chain PREROUTING (policy ACCEPT 177 packets, 13129 bytes)
pkts bytes target prot opt in out source destination
6 312 DNAT tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.111.1
Chain INPUT (policy ACCEPT 177 packets, 13129 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3 packets, 252 bytes)
pkts bytes target prot opt in out source destination
6 312 SNAT tcp -- * br0 0.0.0.0/0 192.168.111.1 tcp dpt:443 to:192.168.111.136
Chain OUTPUT (policy ACCEPT 3 packets, 252 bytes)
pkts bytes target prot opt in out source destination
答案2
就我而言,路由器服务器(在您的情况下是服务器 2)正在使用不同的 IP 地址传送数据包。(例如以外的其他地址10.8.0.1
)。
我找到了 IPtcpdump -i eth0 -p 443
并将其替换到 iptables 规则中。