Centos用iptables实现网站访问重定向
时间:2019-11-01 07:36 来源:www.it.net.cn 作者:IT网
因为某些原因需要把访问10.0.3.49上的httpd服务重定向到10.0.3.26上.所以研究了一下用iptables的NAT实现IP与端口的重定向,其实很简单,只需要两步。
1,首先需要确保linux服务器10.0.3.49开启了数据转发功能:
echo 1 > /proc/sys/net/ipv4/ip_forward
2.10.0.3.49做NAT的ip和端口80的重定向。
iptables -t nat -A PREROUTING -p tcp --dport 80 -d 10.0.3.49 -j DNAT --to 10.0.3.26:80
iptables -t nat -A POSTROUTING -d 10.0.3.26 -p tcp --dport 80 -j SNAT --to 10.0.3.49:80
iptables -A FORWARD -d 10.0.3.26 -j ACCEPT
如果还是没有成功,用tcpdump -nn -i any port 80 看两台服务器网卡上是否有数据进入和出去,将检查自己的iptables是否放行,我的iptables规则是这样设置的:
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 21 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP --dport 65400:65410 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP --dport 22 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP --dport 25 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p UDP --dport 53 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP --dport 53 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP --dport 80 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP --dport 110 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP --dport 443 --sport 1024:65534 -j ACCEPT
/etc/init.d/iptables save
遇到的问题:
1.没有设置iptables -A FORWARD -d 10.0.3.26 -j ACCEPT
10.0.3.49上查看数据:
[root@vb01 ~]# tcpdump -nn -i any port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
20:20:27.704953 IP 10.0.3.27.54604 > 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:20:27.706000 IP 10.0.3.27.54605 > 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:20:27.951043 IP 10.0.3.27.54607 > 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:20:30.703240 IP 10.0.3.27.54604 > 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:20:30.710931 IP 10.0.3.27.54605 > 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:20:30.949540 IP 10.0.3.27.54607 > 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
20:20:36.698054 IP 10.0.3.27.54604 > 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460,nop,nop,sackOK], length 0
20:20:36.715184 IP 10.0.3.27.54605 > 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460,nop,nop,sackOK], length 0
20:20:36.951390 IP 10.0.3.27.54607 > 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460,nop,nop,sackOK], length 0
可以看到Flags全是S标志,表示TCP连接请求没有回应,所以本机iptables可能没有设置允许目的地址是10.0.3.26的数据的转发。
本文出自 “galei” 博客,请务必保留此出处http://galean.blog.51cto.com/7702012/1275039
(责任编辑:IT)
因为某些原因需要把访问10.0.3.49上的httpd服务重定向到10.0.3.26上.所以研究了一下用iptables的NAT实现IP与端口的重定向,其实很简单,只需要两步。 1,首先需要确保linux服务器10.0.3.49开启了数据转发功能: echo 1 > /proc/sys/net/ipv4/ip_forward 2.10.0.3.49做NAT的ip和端口80的重定向。 iptables -t nat -A PREROUTING -p tcp --dport 80 -d 10.0.3.49 -j DNAT --to 10.0.3.26:80 iptables -t nat -A POSTROUTING -d 10.0.3.26 -p tcp --dport 80 -j SNAT --to 10.0.3.49:80 iptables -A FORWARD -d 10.0.3.26 -j ACCEPT 如果还是没有成功,用tcpdump -nn -i any port 80 看两台服务器网卡上是否有数据进入和出去,将检查自己的iptables是否放行,我的iptables规则是这样设置的: iptables -F iptables -X iptables -Z iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p TCP --dport 21 --sport 1024:65534 -j ACCEPT iptables -A INPUT -p TCP --dport 65400:65410 --sport 1024:65534 -j ACCEPT iptables -A INPUT -p TCP --dport 22 --sport 1024:65534 -j ACCEPT iptables -A INPUT -p TCP --dport 25 --sport 1024:65534 -j ACCEPT iptables -A INPUT -p UDP --dport 53 --sport 1024:65534 -j ACCEPT iptables -A INPUT -p TCP --dport 53 --sport 1024:65534 -j ACCEPT iptables -A INPUT -p TCP --dport 80 --sport 1024:65534 -j ACCEPT iptables -A INPUT -p TCP --dport 110 --sport 1024:65534 -j ACCEPT iptables -A INPUT -p TCP --dport 443 --sport 1024:65534 -j ACCEPT /etc/init.d/iptables save 遇到的问题: 1.没有设置iptables -A FORWARD -d 10.0.3.26 -j ACCEPT 10.0.3.49上查看数据: [root@vb01 ~]# tcpdump -nn -i any port 80 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 20:20:27.704953 IP 10.0.3.27.54604 > 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 20:20:27.706000 IP 10.0.3.27.54605 > 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 20:20:27.951043 IP 10.0.3.27.54607 > 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 20:20:30.703240 IP 10.0.3.27.54604 > 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 20:20:30.710931 IP 10.0.3.27.54605 > 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 20:20:30.949540 IP 10.0.3.27.54607 > 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0 20:20:36.698054 IP 10.0.3.27.54604 > 10.0.3.49.80: Flags [S], seq 3899582159, win 8192, options [mss 1460,nop,nop,sackOK], length 0 20:20:36.715184 IP 10.0.3.27.54605 > 10.0.3.49.80: Flags [S], seq 18175173, win 8192, options [mss 1460,nop,nop,sackOK], length 0 20:20:36.951390 IP 10.0.3.27.54607 > 10.0.3.49.80: Flags [S], seq 984209039, win 8192, options [mss 1460,nop,nop,sackOK], length 0 可以看到Flags全是S标志,表示TCP连接请求没有回应,所以本机iptables可能没有设置允许目的地址是10.0.3.26的数据的转发。 本文出自 “galei” 博客,请务必保留此出处http://galean.blog.51cto.com/7702012/1275039 (责任编辑:IT) |