国外代理服务器(iptables应用)

前期准备:1 开启三层转发修改/etc/sysctl.conf文件 ,添加以下:net.ipv4.ip_forward=1
输入命令生效:# sysctl -p
2 安装iptables#yum -y install iptables-services iptables
一、内网NAT本例iptables服务器外网地址为192.168.3.54,192.168.3.52,内网为192.168.4.1,内网WEB服务器为192.168.4.54(物理端口最好有192.168.3.54,52这2个地址)修改vi /etc/sysconfig/iptables为以下内容:# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 192.168.3.54 -j DNAT –to-destination 192.168.4.54
-A PREROUTING -d 192.168.3.52 -p tcp –dport 80 -j DNAT –to 192.168.4.54
-A POSTROUTING -s 192.168.4.54 -j SNAT –to-source 192.168.3.54
#-A PREROUTING -d 192.168.2.88 -j DNAT –to 192.168.3.53
#-A PREROUTING -d 192.168.2.52 -p tcp –dport 80 -j DNAT –to 192.168.3.53
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A FORWARD -p tcp –syn -s 192.168.4.54/32 -j TCPMSS –set-mss 1356
#-A INPUT -j REJECT –reject-with icmp-host-prohibited
#-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
其实这2条的效果是一样的:-A PREROUTING -d 192.168.3.54 -j DNAT –to-destination 192.168.4.54
-A PREROUTING -d 192.168.3.52 -p tcp –dport 80 -j DNAT –to 192.168.4.54
启动iptables服务,注意提前备注:要将centos7原生的firewalld关闭。# systemctl start iptables
二 、公网NAT修改vi /etc/sysconfig/iptables为以下内容:配置iptables
*nat
:PREROUTING ACCEPT [9:496]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 高防电信IP/32 -p tcp -m tcp –dport 80 -j DNAT –to-destination 源站IP:源站web端口
-A PREROUTING -d 高防联通IP/32 -p tcp -m tcp –dport 80 -j DNAT –to-destination 源站IP:源站web端口
-A POSTROUTING -p tcp -m tcp –dport 源站web端口 -j SNAT –to-source 高防电信IP
-A POSTROUTING -p tcp -m tcp –dport 源站web端口 -j SNAT –to-source 高防联通IP
COMMIT
# Generated by iptables-save v1.4.7 on Wed Feb 22 11:49:17 2017
*filter
:INPUT DROP [79:4799]
:FORWARD ACCEPT [37:2232]
:OUTPUT ACCEPT [150:21620]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 公司机房网段/24 -p tcp -m multiport –dports 22,10050 -j ACCEPT
-A FORWARD -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK RST -m limit –limit 1/sec -j ACCEPT
COMMIT
生产环境例子如下:# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 61.174.253.183 -p tcp –dport 80 -j DNAT –to-destination 14.17.96.72:80
-A POSTROUTING -p tcp -m tcp –dport 80 -j SNAT –to-source 61.174.253.183
-A PREROUTING -d 61.174.253.183 -p tcp –dport 443 -j DNAT –to-destination 14.17.96.72:443
-A POSTROUTING -p tcp -m tcp –dport 443 -j SNAT –to-source 61.174.253.183
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p tcp -m state –state NEW -m tcp -j ACCEPT
-A FORWARD -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK RST -m limit –limit 1/sec -j ACCEPT
#-A INPUT -j REJECT –reject-with icmp-host-prohibited
#-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
三、反向代理/etc/haproxy/haproxy.cfg 编写如下:[root@nat haproxy]# vi haproxy.cfg
global
log 127.0.0.1 local0 info #[err warning info debug] //日志位置
maxconn 4096
cookie JSESSIONID prefix
daemon #设置成后台运行
nbproc 1 #进程数量
# pidfile /home/admin/haproxy/logs/haproxy.pid

defaults
log global
mode http #默认模式
option httplog #http日志格式
option dontlognull
retries 3 #三次失败后认为服务器不可用
option redispatch #如果cookie写入了serverId而客户端不会刷新cookie,当serverId对应的服务器挂掉后,强制定向到其他健康的服务器
maxconn 2000 #当服务器负载很高的时候,自动结束掉当前队列处理比较久的链接默认的最大连接数
contimeout 5000 #连接超时
clitimeout 30000 #客户端超时
srvtimeout 30000 #服务器超时

frontend web_in
mode http
maxconn 1000
bind :80
acl is_a hdr_beg(host) -i www.wangjinxiong.com
acl is_b hdr_beg(host) -i www.wangfeng.com
use_backend a_server if is_a
use_backend b_server if is_b

backend a_server
mode http #http 模式
stats uri /haproxy
balance roundrobin
cookie JSESSIONID prefix
stats hide-version
option httpclose
server web1 192.168.6.2:80 check

backend b_server
mode http #http 模式
stats uri /haproxy
balance roundrobin
cookie JSESSIONID prefix
stats hide-version
option httpclose
server web1 192.168.6.3:80 check
https://blog.51cto.com/dl528888/1902274

本文出自快速备案,转载时请注明出处及相应链接。

本文永久链接: https://www.175ku.com/26566.html