我尝试使用iptables来保持端口8080上的Varnish和端口80上的Apache,并且只是将端口80上的所有内容都路由到端口8080.它不工作。 当我在端口8080上调用站点时,所有内容都被caching,当我在端口80上调用它时,我只是得到了正常的Apache响应。
我遵循这个指南。
所以Varnish和Apache似乎configuration正确,因为我收到端口8080上的caching版本。
在第1步中,我只是将规则添加到iptables中:
#iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 当我打电话
#iptables -L -t nat
看看它是否工作,我收到这个输出:
Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
iptables-save的输出:
# Generated by iptables-save v1.4.12 on Mon Oct 27 23:24:03 2014 *raw :PREROUTING ACCEPT [22819:7234594] :OUTPUT ACCEPT [32677:42807068] COMMIT # Completed on Mon Oct 27 23:24:03 2014 # Generated by iptables-save v1.4.12 on Mon Oct 27 23:24:03 2014 *nat :PREROUTING ACCEPT [40:2416] :POSTROUTING ACCEPT [64:3751] :OUTPUT ACCEPT [64:3751] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 COMMIT # Completed on Mon Oct 27 23:24:03 2014 # Generated by iptables-save v1.4.12 on Mon Oct 27 23:24:03 2014 *mangle :PREROUTING ACCEPT [22821:7234698] :INPUT ACCEPT [22821:7234698] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [32696:42835416] :POSTROUTING ACCEPT [32696:42835416] COMMIT # Completed on Mon Oct 27 23:24:03 2014 # Generated by iptables-save v1.4.12 on Mon Oct 27 23:24:03 2014 *filter :INPUT ACCEPT [22821:7234698] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [32696:42835416] COMMIT # Completed on Mon Oct 27 23:24:03 2014
所以应该没问题。 我在想什么? 谢谢!
你应该没问题 – 我猜你正在testing运行Varnish的机器的redirect。
在运行Apache的服务器上,我可以将8080调用redirect到80端口(与您尝试的相反)。
在服务器10.3.1.10上:
为了testing我的apache是否存在于端口80上,我使用netcat来获取网页:
root@hp:/etc/apt# nc 10.3.1.10 80 get <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>501 Not Implemented</title> </head><body> <h1>Not Implemented</h1> <p>get to /index.html not supported.<br /> </p> <hr> <address>Apache/2.4.7 (Ubuntu) Server at 127.0.1.1 Port 80</address> </body></html> root@hp:/etc/apt#
这很好 – 现在添加我的redirect:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j REDIRECT --to-ports 80
这在eth0中指定,协议tcp目的地8080redirect到80。
并在端口8080上testingnetcat:
root@hp:/etc/apt# nc 10.3.1.10 8080 root@hp:/etc/apt#
没有输出 – 没有连接,但没有什么是错的,iptables显示我的redirect没有stream量(规则的pkts和字节列):
root@hp:/etc/apt# iptables -L -t nat -n -v Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 redir ports 80 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
所以发生了什么,虽然我的规则没有变,但我很好。
现在我转到另一台机器(10.3.1.5)并运行相同的netcat命令:
root@firewall:~# nc 10.3.1.10 8080 get <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>501 Not Implemented</title> </head><body> <h1>Not Implemented</h1> <p>get to /index.html not supported.<br /> </p> <hr> <address>Apache/2.4.7 (Ubuntu) Server at 127.0.1.1 Port 80</address> </body></html>
这似乎工作 – 检查我的stream量.10与iptables:
root@hp:/etc/apt# iptables -L -t nat -n -v Chain PREROUTING (policy ACCEPT 4 packets, 898 bytes) pkts bytes target prot opt in out source destination 2 120 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 redir ports 80 Chain INPUT (policy ACCEPT 6 packets, 1018 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
我看到2个数据包,120个字节(我运行了两次netcat)。
redirect不能从机器redirect,因为你没有进入eth0。