I have two dedicated servers and no hardware firewall. I'd like to forward all requests that come into the primary server on port 1008 to be fulfilled by another dedicated server on the same network. I know I need to set up some kind of TCP proxy, but I first heard of IPTables yesterday. Any quick tips?
我有两个专用服务器,没有硬件防火墙。我想转发进入端口1008上主服务器的所有请求,以便由同一网络上的另一个专用服务器来完成。我知道我需要设置某种TCP代理,但我昨天第一次听说过IPTables。任何快速提示?
3 个解决方案
#1
1
Carson is right: put a bridging firewall between servers and clients. Shorewall (IP tables) can then redirect traffic to different ports and different machines.
Carson是对的:在服务器和客户端之间建立桥接防火墙。然后,Shorewall(IP表)可以将流量重定向到不同的端口和不同的机器。
With the firewall being a bridge, you don't have to change your network settings, yet the bridge interface has to be assigned one IP address of each network clients and servers are in. Else the redirection won't work.
由于防火墙是一个桥接器,您不必更改网络设置,但必须为桥接接口分配每个网络客户端和服务器所在的IP地址。否则重定向将不起作用。
Caveat: the machine where the connection originally was pointed to has to be online (means: its IP address has to be in use), else the redirect won't work.
警告:最初指向连接的机器必须在线(意味着:其IP地址必须在使用中),否则重定向将无效。
If the redirection is meant as a means of failover for high-availability, I would consider a load balancer (cluster) instead of the firewall, which leads to linux virtual server (for a general approach) or to a load balancer software like Apache (with mod proxy_balancer), balance or pount (if only http request are to be balanced). There's also hardware appliances like from f5 for load balancing.
如果重定向是高可用性故障转移的一种手段,我会考虑使用负载均衡器(集群)而不是防火墙,这会导致Linux虚拟服务器(对于一般方法)或者像Apache这样的负载均衡器软件(使用mod proxy_balancer),balance或pount(如果只需要平衡http请求)。还有来自f5的硬件设备用于负载平衡。
#2
2
The easiest way is to use something which is just a TCP proxy. It is possible to achieve this using iptables, but not easy.
最简单的方法是使用只是TCP代理的东西。使用iptables可以实现这一点,但并不容易。
It is easy to forward requests from A intended for B to C (using DNAT) but harder to get C's responses to go back to A via B (because DNAT does not change the sender address). A would then ignore the responses as they'd be coming from C rather than B.
很容易将来自A的请求从B转发到C(使用DNAT),但很难让C的响应通过B返回A(因为DNAT不会更改发送方地址)。然后A会忽略响应,因为它们来自C而不是B.
Essentially the way of doing it would be to set up B as C's default gateway, and using forwarding, however, this places an additional point of failure in B; if B fails, C's outbound traffic (including responses to requests sent to C directly) would end up going down a black hole.
基本上,这样做的方法是将B设置为C的默认网关,然而使用转发,这会在B中产生额外的故障点;如果B失败,C的出站流量(包括对直接发送给C的请求的响应)将最终落入黑洞。
Using IPtables it is possible without this routing trick I think, but you'd need to have the same connection SNAT'd and DNAT'd, which is tricky at best.
使用IPtables我可以在没有这种路由技巧的情况下使用,但是你需要使用相同的连接SNAT和DNAT,这在最好的情况下是很棘手的。
Normally in such situations, most people put another host (firewall) in front of the two machines and have it make DNAT decisions - of course this introduces a point of failure as well, which is why in critical setups, the firewall typically has a rendundant backup (its configuration is synchronised and sometimes its connection tracking table is)
通常情况下,在这种情况下,大多数人会在两台计算机前放置另一台主机(防火墙)并让它做出DNAT决策 - 当然这也会引发故障点,这就是为什么在关键设置中,防火墙通常有一个绝缘备份(其配置已同步,有时其连接跟踪表是)
#3
1
First off I would recommend you get a firewall in place. I've used Shorewall for a long time to manage iptables and it is pretty easy to configure. Second if you use something like Shorewall there are easy guides on how to do DNAT (port fowarding).
首先,我建议您安装防火墙。我已经使用Shorewall很长时间来管理iptables,它很容易配置。其次,如果您使用像Shorewall这样的东西,可以轻松指导如何进行DNAT(港口移动)。
#1
1
Carson is right: put a bridging firewall between servers and clients. Shorewall (IP tables) can then redirect traffic to different ports and different machines.
Carson是对的:在服务器和客户端之间建立桥接防火墙。然后,Shorewall(IP表)可以将流量重定向到不同的端口和不同的机器。
With the firewall being a bridge, you don't have to change your network settings, yet the bridge interface has to be assigned one IP address of each network clients and servers are in. Else the redirection won't work.
由于防火墙是一个桥接器,您不必更改网络设置,但必须为桥接接口分配每个网络客户端和服务器所在的IP地址。否则重定向将不起作用。
Caveat: the machine where the connection originally was pointed to has to be online (means: its IP address has to be in use), else the redirect won't work.
警告:最初指向连接的机器必须在线(意味着:其IP地址必须在使用中),否则重定向将无效。
If the redirection is meant as a means of failover for high-availability, I would consider a load balancer (cluster) instead of the firewall, which leads to linux virtual server (for a general approach) or to a load balancer software like Apache (with mod proxy_balancer), balance or pount (if only http request are to be balanced). There's also hardware appliances like from f5 for load balancing.
如果重定向是高可用性故障转移的一种手段,我会考虑使用负载均衡器(集群)而不是防火墙,这会导致Linux虚拟服务器(对于一般方法)或者像Apache这样的负载均衡器软件(使用mod proxy_balancer),balance或pount(如果只需要平衡http请求)。还有来自f5的硬件设备用于负载平衡。
#2
2
The easiest way is to use something which is just a TCP proxy. It is possible to achieve this using iptables, but not easy.
最简单的方法是使用只是TCP代理的东西。使用iptables可以实现这一点,但并不容易。
It is easy to forward requests from A intended for B to C (using DNAT) but harder to get C's responses to go back to A via B (because DNAT does not change the sender address). A would then ignore the responses as they'd be coming from C rather than B.
很容易将来自A的请求从B转发到C(使用DNAT),但很难让C的响应通过B返回A(因为DNAT不会更改发送方地址)。然后A会忽略响应,因为它们来自C而不是B.
Essentially the way of doing it would be to set up B as C's default gateway, and using forwarding, however, this places an additional point of failure in B; if B fails, C's outbound traffic (including responses to requests sent to C directly) would end up going down a black hole.
基本上,这样做的方法是将B设置为C的默认网关,然而使用转发,这会在B中产生额外的故障点;如果B失败,C的出站流量(包括对直接发送给C的请求的响应)将最终落入黑洞。
Using IPtables it is possible without this routing trick I think, but you'd need to have the same connection SNAT'd and DNAT'd, which is tricky at best.
使用IPtables我可以在没有这种路由技巧的情况下使用,但是你需要使用相同的连接SNAT和DNAT,这在最好的情况下是很棘手的。
Normally in such situations, most people put another host (firewall) in front of the two machines and have it make DNAT decisions - of course this introduces a point of failure as well, which is why in critical setups, the firewall typically has a rendundant backup (its configuration is synchronised and sometimes its connection tracking table is)
通常情况下,在这种情况下,大多数人会在两台计算机前放置另一台主机(防火墙)并让它做出DNAT决策 - 当然这也会引发故障点,这就是为什么在关键设置中,防火墙通常有一个绝缘备份(其配置已同步,有时其连接跟踪表是)
#3
1
First off I would recommend you get a firewall in place. I've used Shorewall for a long time to manage iptables and it is pretty easy to configure. Second if you use something like Shorewall there are easy guides on how to do DNAT (port fowarding).
首先,我建议您安装防火墙。我已经使用Shorewall很长时间来管理iptables,它很容易配置。其次,如果您使用像Shorewall这样的东西,可以轻松指导如何进行DNAT(港口移动)。