TCP port forward

一个在高校打杂的

已于 2023-09-22 16:11:48 修改

阅读量87

点赞数

文章标签： nginx

于 2023-09-22 16:08:51 首次发布

本文链接：https://blog.csdn.net/xh_w20/article/details/133174764

版权

这几天softEther不能用了，就看了下proxy server的原理，想想之前部署边界安全，考虑的是：避免业务的端口直接映射出公网（不论业务服务器前端还是中间件还是数据据），所以之前用的nginx的反向代理http/https的请求，也考虑一些基础服务器做tcp/udp的转发。所以自己就搭了这个nginx的TCP端口代理，UDP这里没有合适的场景，就没做了。

一、

思路：（这个以后可以结合边界安全和中间摆渡区域设置安全端口转发使用！）

通过一台nginx（无状态服务）上代理一些基础的服务器，比如jumpserver，公用服务器上做TCP端口转发，这里肯定想着就是rdp的3389端口。

S1、在centos7上安装了nginx

Yum install -y nginx

[root@localhost nginx]# nginx -v

nginx version: nginx/1.20.1

[root@localhost nginx]# which nginx

/usr/sbin/nginx

[root@localhost nginx]# whereis nginx

nginx: /usr/sbin/nginx /usr/lib64/nginx /etc/nginx /usr/share/nginx /usr/share/man/man3/nginx.3pm.gz /usr/share/man/man8/nginx.8.gz

[root@localhost nginx]#

然后启动ngnix：

systemctl start nginx

Systemctl status nginx

浏览器上登录nginx的网页显示正常，即可了。说明nginx的http启用了。

验证一下：

Cd /usr/share/nginx/html

Cp index.html index.html0

Vim index.html

修改title和content的内容(welcome to centos改为welcom 2 Linux)，然后重新nginx -s rolad，刷新，修改生效:

屏幕剪辑的捕获时间: 9/11/2023 3:48 PM

S2、修改配置,使用nginx的upstream模块

Cd /etc/nginx

Cp nginx.conf nginx.conf0

Vim nginx.conf

#----新增如下信息：-----

stream {

upstream socketserver1 {

hash $remote_addr consistent;

server 10.6.200.225:3389 weight=5 max_fails=3 fail_timeout=30s;

# server 10.6.100.12:3389 weight=5 max_fails=3 fail_timeout=30s;

}

upstream socketserver2 {

hash $remote_addr consistent;

server 10.6.16.165:6387 weight=5 max_fails=3 fail_timeout=30s;

# server 192.168.1.4:3306 weight=5 max_fails=3 fail_timeout=30s;

}

server {

listen 3390;

proxy_connect_timeout 1s;

proxy_timeout 3s;

proxy_pass socketserver1;

}

server {

listen 6388;

proxy_connect_timeout 1s;

proxy_timeout 3s;

proxy_pass socketserver2;

}

#-----以上新增的内容-------

#把nginx这台centos7的3390和6388代理到对应的主机服务器端口去

然后配置生效，出现以下错误：

[root@localhost nginx]# nginx -s reload

nginx: [emerg] dlopen() "/usr/lib64/nginx/modules/ngx_stream_module.so" failed (/usr/lib64/nginx/modules/ngx_stream_module.so: cannot open shared object file: No such file or directory) in /etc/nginx/nginx.conf:12

解决办法：

yum install nginx -y不是全模块安装，所以需要安装，安装之前必须epel-release库，

yum -y install epel-release

yum -y install nginx-all-modules.noarch

安装后就会自动识别stream的moudles了。如果没有必须在nginx.conf顶部加一行

load_module /usr/lib64/nginx/modules/ngx_stream_module.so;

ps，nginx -s <SIGNAL>

where <SIGNAL> can be one of the following:

quit – Shut down gracefully (the SIGQUIT signal)
reload – Reload the configuration file (the SIGHUP signal)
reopen – Reopen log files (the SIGUSR1 signal)
stop – Shut down immediately (or fast shutdown, the SIGTERM singal)

来自 <Controlling NGINX Processes at Runtime | NGINX Documentation>

S3、验证：

远程登录mstsc 10.6.100.16:3390

实际上登录的是10.0.200.225:3389端口，如下两图

此致，这个TCP代理的方案完成了，的确可以作为很多企业安全边界的一个提升，适用场景很广。或许看看做个UDP端口转发的。

ps，做完实验，发现nginx开源社区的这个非常详细：（防止链接失效，转载了几张图如下：）

开源Web服务提供商 - NGINX开源社区

如何用NGINX实现UDP四层反向代理？

二、

Acl

在http模块server中添加：

Allow 127.0.0.1;

Deny all;

效果如下两图：

Here, access to the location is allowed only from the localhost address (127.0.0.1). Access from all other IP addresses is denied.

屏幕剪辑的捕获时间: 9/12/2023 10:29 AM

[root@localhost nginx]# curl 127.0.0.1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

<title>Welcome to 7centos</title>

html {

background-image:url(img/html-background.png);

background-color: white;

font-family: "DejaVu Sans", "Liberation Sans", sans-serif;

font-size: 0.85em;

line-height: 1.25em;

margin: 0 4% 0 4%;

}

body {

border: 10px solid #fff;

margin:0;

padding:0;

background: #fff;

}

/* Links */

a:link { border-bottom: 1px dotted #ccc; text-decoration: none; color: #204d92; }

a:hover { border-bottom:1px dotted #ccc; text-decoration: underline; color: green; }

a:active { border-bottom:1px dotted #ccc; text-decoration: underline; color: #204d92; }

a:visited { border-bottom:1px dotted #ccc; text-decoration: none; color: #204d92; }

a:visited:hover { border-bottom:1px dotted #ccc; text-decoration: underline; color: green; }

.logo a:link,

.logo a:hover,

.logo a:visited { border-bottom: none; }

.mainlinks a:link { border-bottom: 1px dotted #ddd; text-decoration: none; color: #eee; }

.mainlinks a:hover { border-bottom:1px dotted #ddd; text-decoration: underline; color: white; }

.mainlinks a:active { border-bottom:1px dotted #ddd; text-decoration: underline; color: white; }

.mainlinks a:visited { border-bottom:1px dotted #ddd; text-decoration: none; color: white; }

.mainlinks a:visited:hover { border-bottom:1px dotted #ddd; text-decoration: underline; color: white; }

/* User interface styles */

#header {

margin:0;

padding: 0.5em;

background: #204D8C url(img/header-background.png);

text-align: left;

}

.logo {

padding: 0;

/* For text only logo */

font-size: 1.4em;

line-height: 1em;

font-weight: bold;

}

.logo img {

vertical-align: middle;

padding-right: 1em;

}

.logo a {

color: #fff;

text-decoration: none;

}

p {

line-height:1.5em;

}

h1 {

margin-bottom: 0;

line-height: 1.9em; }

h2 {

margin-top: 0;

line-height: 1.7em; }

#content {

clear:both;

padding-left: 30px;

padding-right: 30px;

padding-bottom: 30px;

border-bottom: 5px solid #eee;

}

.mainlinks {

float: right;

margin-top: 0.5em;

text-align: right;

}

ul.mainlinks > li {

border-right: 1px dotted #ddd;

padding-right: 10px;

padding-left: 10px;

display: inline;

list-style: none;

}

ul.mainlinks > li.last,

ul.mainlinks > li.first {

border-right: none;

}

</style>

</head>

<body>

<li> <a href="http://wiki.centos.org/GettingHelp/ListInfo">Mailing Lists</a></li>

<li> <a href="http://www.centos.org/download/mirrors/">Mirror List</a></li>

<li> <a href="https://www.centos.org/forums/">Forums</a></li>

<li class="last"> <a href="http://wiki.centos.org/Donate">Donate</a></li>

</ul>

</div>

<h1>Welcome 2 Linux</h1>

<h2>The Community ENTerprise Operating System</h2>

<p><a href="http://www.centos.org/">CentOS</a> is an Enterprise-class Linux Distribution derived from sources freely provided

to the public by Red Hat, Inc. for Red Hat Enterprise Linux. CentOS conforms fully with the upstream vendors

redistribution policy and aims to be functionally compatible. (CentOS mainly changes packages to remove upstream vendor

branding and artwork.)</p>

<p>CentOS is developed by a small but growing team of core

developers.  In turn the core developers are supported by an active user community

including system administrators, network administrators, enterprise users, managers, core Linux contributors and Linux enthusiasts from around the world.</p>

<p>CentOS has numerous advantages including: an active and growing user community, quickly rebuilt, tested, and QA'ed errata packages, an extensive <a href="http://www.centos.org/download/mirrors/">mirror network</a>, developers who are contactable and responsive, Special Interest Groups (<a href="http://wiki.centos.org/SpecialInterestGroup/">SIGs</a>) to add functionality to the core CentOS distribution, and multiple community support avenues including a <a href="http://wiki.centos.org/">wiki</a>, <a

href="http://wiki.centos.org/irc">IRC Chat</a>, <a href="http://wiki.centos.org/GettingHelp/ListInfo">Email Lists</a>, <a href="https://www.centos.org/forums/">Forums</a>, <a href="http://bugs.centos.org/">Bugs Database</a>, and an <a

href="http://wiki.centos.org/FAQ/">FAQ</a>.</p>

</div>

</body>

</html>

但是localhost居然也是被deny了！Cat /etc/hosts也是有解析的，可能是bug

[root@localhost nginx]# curl localhost

<html>

<head><title>403 Forbidden</title></head>

<body>

<center><h1>403 Forbidden</h1></center>

<hr><center>nginx/1.20.1</center>

</body>

</html>

三、

引入了UDP的例子

#an example of tcp and udp load-balancing configuration

stream {

upstream stream_backend {

least_conn;

#server backend1.example.com:12345 weight=5;

#server backend2.example.com:12345 max_fails=2 fail_timeout=30s;

#server backend3.example.com:12345 max_conns=3;

server 10.6.100.20:3389 weight=5;

server 10.0.200.225:3389 max_fails=2 fail_timeout=30s;

server 10.0.200.227:3389 max_conns=3;

}

upstream dns_servers {

least_conn;

server 10.6.100.10:53;

server 10.6.100.11:53;

server 10.0.100.110:53;

server 218.85.157.99:53;

server 58.22.96.66:53;

#hlt-pdc.ihlt.com 100.10

#hlt-bdc.ihlt.com 100.11

#jxhlt-dc01.ihlt.com 100.110

#jxhlt-dc02.ihlt.com 100.111

#jxhlt-dc03.ihlt.com 100.112

}

server {

listen 12345;

proxy_pass stream_backend;

proxy_timeout 3s;

proxy_connect_timeout 1s;

}

server {

listen 53 udp;

#default tcp

proxy_pass dns_servers;

}

server {

listen 12346;

proxy_pass 10.0.200.220:80;

#proxy_pass cloud.ihlt.com:80;

#cloud.ihlt.com 200.220 vip,real ip 200.206&200.207

#proxy_pass backend4.example.com:12346;

}

#The virtual server listens on port 12346 and proxies TCP connections to backend4.example.com,

#which can resolve to several IP addresses that are load balanced with the Round Robin method.

}

a.安装以上的配置，监听的10.6.100.16:12345端口，通过mstsc远程连接，奇怪一直是10.0.200.225这台后端连接上。这是因为：

Stream_backend指定了least_conn，按处理的请求也有可能不同，对于处理的请求有快有慢，least_conn是根据后端服务器的连接情况，动态的选择连接数量较少的一台服务器来处理当前的请求。

果然在两台局域网的环境测试ping 网络，如下，说明200.225这条优先！

b.修改：

使用weight权重来分配，默认值为1，且代理不同的端口。

upstream stream_backend {

#least_conn;

#server backend1.example.com:12345 weight=5;

#server backend2.example.com:12345 max_fails=2 fail_timeout=30s;

#server backend3.example.com:12345 max_conns=3;

server 10.6.100.20:3389 weight=2;

server 10.0.200.227:3389 ;

server 10.6.100.25:6389 max_conns=2;

}

//这里使用远程连接，可能会被windows系统验证非信任连接，建议不要这样做。但是后端是可以代理不同的ip端口的。

udp协议不用用telnet来测试，所以用了dns的效果来对比，以下两张图片，说明

Linsten 53 udp代理成功了，而且安装轮询的方式解析。

（ps,局域网的AD DS（DNS）如上，58.22.96.66为福建联通DNS，218.85.157.99为福建电信DNS）

3.Proxy_pass 10.0.200.220:80的效果：（telnet和访问tcp服务）

一个在高校打杂的

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
打赏
0
评论
TCP port forward

这几天softEther不能用了，就看了下proxy server的原理，想想之前部署边界安全，考虑的是：避免业务的端口直接映射出公网（不论业务服务器前端还是中间件还是数据据），所以之前用的nginx的反向代理http/https的请求，也考虑一些基础服务器做tcp/udp的转发。所以自己就搭了这个nginx的TCP端口代理.第三部分也更新了UDP的场景。
复制链接

扫一扫