我正在尝试对 HTTP 流量进行 NAT,我是新手,遇到了一些问题。我尝试做的是将客户端 HTTP 请求 NAT 到 Web 服务器。
客户端 -> NAT 盒 -> Web 服务器
当客户端打开 NAT BOX 的 IP 时,请求应该传递到 Web 服务器。但我收到“HTTP 请求已发送,正在等待响应...”,然后等待几分钟才完成请求。
查看 tcpdump 输出,似乎 (10:48:54) 上的第一个 Syn 数据包正在进行 NAT,但第二个、第三个、第四个......ACK 或 PSH 数据包没有进行 NAT,并等到 (10:52:04) 它在 ACK 数据包上再次启动 NAT。
我使用的 iptables 命令是:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 \
-j DNAT --to-destination WEBSERVER
我想知道是什么导致了这种行为?
10:48:54.907861 IP (tos 0x0, ttl 49, id 16395, offset 0, flags [DF],
proto: TCP (6), length: 48) CLIENT.61736 > NATBOX.http: S,
cksum 0x6019 (correct), 1589600740:1589600740(0) win 5840 <mss 1460,nop,wscale 8>
10:48:54.907874 IP (tos 0x0, ttl 48, id 16395, offset 0, flags [DF],
proto: TCP (6), length: 48) CLIENT.61736 > WEBSERVER.http: S,
cksum 0xb5d7 (correct), 1589600740:1589600740(0) win 5840 <mss 1460,nop,wscale 8>
10:48:55.102696 IP (tos 0x0, ttl 49, id 16397, offset 0, flags [DF],
proto: TCP (6), length: 40) CLIENT.61736 > NATBOX.http: .,
cksum 0x2727 (correct), ack 2950613896 win 23
10:48:55.102963 IP (tos 0x0, ttl 49, id 16399, offset 0, flags [DF],
proto: TCP (6), length: 160) CLIENT.61736 > NATBOX.http: P 0:120(120)
ack 1 win 23
10:48:58.103078 IP (tos 0x0, ttl 49, id 16401, offset 0, flags [DF],
proto: TCP (6), length: 160) CLIENT.61736 > NATBOX.http: P 0:120(120)
ack 1 win 23
10:48:58.366344 IP (tos 0x0, ttl 49, id 16403, offset 0, flags [DF],
proto: TCP (6), length: 40) CLIENT.61736 > NATBOX.http: .,
cksum 0x26af (correct), ack 1 win 23
10:49:04.103204 IP (tos 0x0, ttl 49, id 16405, offset 0, flags [DF],
proto: TCP (6), length: 160) CLIENT.61736 > NATBOX.http: P 0:120(120)
ack 1 win 23
10:49:04.363943 IP (tos 0x0, ttl 49, id 16407, offset 0, flags [DF],
proto: TCP (6), length: 40) CLIENT.61736 > NATBOX.http: .,
cksum 0x26af (correct), ack 1 win 23
10:49:16.101583 IP (tos 0x0, ttl 49, id 16409, offset 0, flags [DF],
proto: TCP (6), length: 160) CLIENT.61736 > NATBOX.http: P 0:120(120)
ack 1 win 23
10:49:16.363475 IP (tos 0x0, ttl 49, id 16411, offset 0, flags [DF],
proto: TCP (6), length: 40) CLIENT.61736 > NATBOX.http: .,
cksum 0x26af (correct), ack 1 win 23
10:49:40.100796 IP (tos 0x0, ttl 49, id 16413, offset 0, flags [DF],
proto: TCP (6), length: 160) CLIENT.61736 > NATBOX.http: P 0:120(120)
ack 1 win 23
10:49:40.563898 IP (tos 0x0, ttl 49, id 16415, offset 0, flags [DF],
proto: TCP (6), length: 40) CLIENT.61736 > NATBOX.http: .,
cksum 0x26af (correct), ack 1 win 23
10:50:28.099396 IP (tos 0x0, ttl 49, id 16417, offset 0, flags [DF],
proto: TCP (6), length: 160) CLIENT.61736 > NATBOX.http: P 0:120(120)
ack 1 win 23
10:50:28.761678 IP (tos 0x0, ttl 49, id 16419, offset 0, flags [DF],
proto: TCP (6), length: 40) CLIENT.61736 > NATBOX.http: .,
cksum 0x26af (correct), ack 1 win 23
10:52:04.093668 IP (tos 0x0, ttl 49, id 16421, offset 0, flags [DF],
proto: TCP (6), length: 160) CLIENT.61736 > NATBOX.http: P 0:120(120)
ack 1 win 23
10:52:04.093678 IP (tos 0x0, ttl 48, id 16421, offset 0, flags [DF],
proto: TCP (6), length: 160) CLIENT.61736 > WEBSERVER.http:
P 1589600741:1589600861(120) ack 2950613896 win 23
10:52:04.291021 IP (tos 0x0, ttl 49, id 16423, offset 0, flags [DF],
proto: TCP (6), length: 40) CLIENT.61736 > NATBOX.http: .,
cksum 0x25d3 (correct), ack 217 win 27
10:52:04.291028 IP (tos 0x0, ttl 48, id 16423, offset 0, flags [DF],
proto: TCP (6), length: 40) CLIENT.61736 > WEBSERVER.http: .,
cksum 0x7b91 (correct), ack 217 win 27
10:52:04.300708 IP (tos 0x0, ttl 49, id 16425, offset 0, flags [DF],
proto: TCP (6), length: 40) CLIENT.61736 > NATBOX.http: .,
cksum 0x253c (correct), ack 368 win 27
10:52:04.300714 IP (tos 0x0, ttl 48, id 16425, offset 0, flags [DF],
proto: TCP (6), length: 40) CLIENT.61736 > WEBSERVER.http: .,
cksum 0x7afa (correct), ack 368 win 27
10:52:04.301417 IP (tos 0x0, ttl 49, id 16427, offset 0, flags [DF],
proto: TCP (6), length: 40) CLIENT.61736 > NATBOX.http: F,
cksum 0x253b (correct), 120:120(0) ack 368 win 27
10:52:04.301438 IP (tos 0x0, ttl 48, id 16427, offset 0, flags [DF],
proto: TCP (6), length: 40) CLIENT.61736 > WEBSERVER.http: F,
cksum 0x7af9 (correct), 120:120(0) ack 368 win 27
10:52:04.498875 IP (tos 0x0, ttl 49, id 16429, offset 0, flags [DF],
proto: TCP (6), length: 40) CLIENT.61736 > NATBOX.http: .,
cksum 0x253a (correct), ack 369 win 27
10:52:04.498881 IP (tos 0x0, ttl 48, id 16429, offset 0, flags [DF],
proto: TCP (6), length: 40) CLIENT.61736 > WEBSERVER.http: .,
cksum 0x7af8 (correct), ack 369 win 27
答案1
WEBSERVER 是否知道 CLIENT 可以通过 NAT BOX 访问?您想让 SNAT CLIENT 看起来像 WEBSERVER 的 NAT BOX,不是吗?
答案2
看起来你尝试设置的路由类型叫做直接路由。它通常用于服务器之间的负载平衡流量(由于此方向的路径是直接的,因此它可以避免从服务器到客户端的路由器瓶颈)。
您可以找到详细的解释直接路由配置和理论在 LVS 网站上。