TL; DR – 我正在寻找通过代理服务器发送所有外部stream量的方式,但不通过代理服务器发送所有内部stream量。 我怎样才能做到这一点?
我的最终目标是将来自phantomjs节点的所有外部stream量转发到互联网上的一组代理服务器,并将所有去往我的服务器(10.X.1.X)的stream量保留在外部代理服务器上。
这是我的理解,我需要使用透明代理。 我试图用HAProxy和IPFire没有成功。
我的下一个尝试是使用IPTables。 我在虚拟机上使用CentOS 6.8上的IPTables v1.4.7。 IP地址是10.2.1.234。 我已经成功地build立了IPTables,用以下IPTables规则将所有stream量循环到互联网上的5台代理服务器:
Table: nat Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 statistic mode nth every 5 tcp dpt:80 to:104.36.80.240:80 2 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 statistic mode nth every 4 tcp dpt:80 to:104.36.81.104:80 3 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 statistic mode nth every 3 tcp dpt:80 to:104.36.81.12:80 4 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 statistic mode nth every 2 tcp dpt:80 to:104.36.82.153:80 5 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:104.36.80.241:80 Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination 我在/etc/sysctl.conf中设置了以下内容
# Controls IP packet forwarding net.ipv4.ip_forward = 1
的/ etc / SYSCONFIG / iptables的-configuration
# Load additional iptables modules (nat helpers) # Default: -none- # Space separated list of nat helpers (eg 'ip_nat_ftp ip_nat_irc'), which # are loaded after the firewall rules are applied. Options for the helpers are # stored in /etc/modprobe.conf. IPTABLES_MODULES="" # Unload modules on restart and stop # Value: yes|no, default: yes # This option has to be 'yes' to get to a sane state for a firewall # restart or stop. Only set to 'no' if there are problems unloading netfilter # modules. IPTABLES_MODULES_UNLOAD="yes" # Save current firewall rules on stop. # Value: yes|no, default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped # (eg on system shutdown). IPTABLES_SAVE_ON_STOP="yes" # Save current firewall rules on restart. # Value: yes|no, default: no # Saves all firewall rules to /etc/sysconfig/iptables if firewall gets # restarted. IPTABLES_SAVE_ON_RESTART="yes" # Save (and restore) rule and chain counter. # Value: yes|no, default: no # Save counters for rules and chains to /etc/sysconfig/iptables if # 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or # SAVE_ON_RESTART is enabled. IPTABLES_SAVE_COUNTER="no" # Numeric status output # Value: yes|no, default: yes # Print IP addresses and port numbers in numeric format in the status output. IPTABLES_STATUS_NUMERIC="yes" # Verbose status output # Value: yes|no, default: yes # Print info about the number of packets and bytes plus the "input-" and # "outputdevice" in the status output. IPTABLES_STATUS_VERBOSE="no" # Status output with numbered lines # Value: yes|no, default: yes # Print a counter/number for every rule in the status output. IPTABLES_STATUS_LINENUMBERS="yes" # Reload sysctl settings on start and restart # Default: -none- # Space separated list of sysctl items which are to be reloaded on start. # List items will be matched by fgrep. #IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
的/ proc / SYS /网/的IPv4 / IP_FORWARD
1
我的问题是当我试图免除我的本地地址被发送到外部代理服务器。 我认为ACCEPT可能会工作,并将以下内容添加到nat PREROUTING表中:
1 ACCEPT tcp -- 0.0.0.0/0 10.1.1.0/24
然后,我从桌面发送下面的curl命令,但不会触发该规则! 它触发了循环赛规则之一。
curl -v -k -x 10.2.1.234:80 http://10.1.1.228/
我尝试了与DNAT和FORWARD类似的事情,但是无论出于何种原因,IPTables并不尊重目标地址。 我错过了什么吗?