利用 iptables 做端口转发,实现代理中转 

最近得了一台TW 的NAT机器,考虑到是TW的原生IP,打算好好利用一番。可是直连过去丢包情况严重,考虑到我手里有一台HK的机器,到我,到TW的线路都还不错。

所以决定使用这台机器来做中转功能。这里就需要用到端口转发。

端口转发有很多解决方案,支持反代的软件有很多,比如nginx,apache,haproxy,socat 等.

这些都是应用层面的,而且得安装对应的软件包,配置,监听端口,运行才行。但是如果想到操作系统内核底层操作的话,就不得不说iptables 了。

首先修改kernel 内核参数,开启端口转发功能。

[root@hk_uc ~]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.unknown_nmi_panic = 0
kernel.sysrq = 1
fs.file-max = 1000000
vm.swappiness = 10
fs.inotify.max_user_watches = 10000000
net.core.wmem_max = 327679
net.core.rmem_max = 327679
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
fs.inotify.max_queued_events = 327679
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.neigh.default.gc_thresh1 = 2048
net.ipv4.neigh.default.gc_thresh2 = 4096
net.ipv4.neigh.default.gc_thresh3 = 8192
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.ip_forward = 1 //开启端口转发 1=>开启 0=>关闭

编辑保存后,重载配置,使之生效。

[root@hk_uc ~]# sysctl -p
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.unknown_nmi_panic = 0
kernel.sysrq = 1
fs.file-max = 1000000
vm.swappiness = 10
fs.inotify.max_user_watches = 10000000
net.core.wmem_max = 327679
net.core.rmem_max = 327679
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
fs.inotify.max_queued_events = 327679
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.neigh.default.gc_thresh1 = 2048
net.ipv4.neigh.default.gc_thresh2 = 4096
net.ipv4.neigh.default.gc_thresh3 = 8192
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.ip_forward = 1


接下来就是操作iptables,加入相关的转发规则链。现在比较主流的方式通过 前置路由链、和后置路由链 的方式去实现转发。

我现在要把HK机器9800 端口上进来的TCP请求,统统转发到TW机器(210.203.57.103)的19600 端口上去。
加入前置路由规则:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 9800 -j DNAT --to-destination 210.203.57.103:19600

加入后置路由规则:

iptables -t nat -A POSTROUTING -d 210.203.57.103 -p tcp -m tcp --dport 19600 -j SNAT --to-source 10.8.32.28

10.8.32.28 是我的网卡eth0 IP.

[root@hk_uc ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1454
inet 10.8.32.28 netmask 255.255.0.0 broadcast 10.8.255.255
ether 52:54:00:1a:5d:55 txqueuelen 1000 (Ethernet)
RX packets 83091504 bytes 30721120125 (28.6 GiB)
RX errors 0 dropped 891 overruns 0 frame 0
TX packets 98367783 bytes 33007019179 (30.7 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 14612734 bytes 19897570061 (18.5 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 14612734 bytes 19897570061 (18.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

到这步,iptables 端口转发就已经配置好了。保存下iptables 配置。

[root@hk_uc ~]# iptables-save
# Generated by iptables-save v1.4.21 on Fri Jan 3 11:52:32 2020
*nat
:PREROUTING ACCEPT [7618:365173]
:INPUT ACCEPT [7618:365173]
:OUTPUT ACCEPT [1727:118684]
:POSTROUTING ACCEPT [1727:118684]
-A PREROUTING -p tcp -m tcp --dport 9800 -j DNAT --to-destination 210.203.57.103:19600
-A PREROUTING -p tcp -m tcp --dport 9900 -j DNAT --to-destination 140.238.11.39:9600
-A POSTROUTING -d 210.203.57.103/32 -p tcp -m tcp --dport 19600 -j SNAT --to-source 10.8.32.28
-A POSTROUTING -d 140.238.11.39/32 -p tcp -m tcp --dport 9600 -j SNAT --to-source 10.8.32.28
COMMIT
# Completed on Fri Jan 3 11:52:32 2020
# Generated by iptables-save v1.4.21 on Fri Jan 3 11:52:32 2020
*filter
:INPUT ACCEPT [433680:111523114]
:FORWARD ACCEPT [360898:155486678]
:OUTPUT ACCEPT [476261:116542832]
COMMIT
# Completed on Fri Jan 3 11:52:32 2020

至此,所有操作完成。可以看到HK 机器的9800端口已经可以ping 通了。我本地到TW机器的延迟约等于 本地到HK + HK 到 TW 的延迟总和。牺牲一点延迟,换来线路的稳定,也是值得的。

本文在实践撰写的过程参考一下文章:
http://xstarcd.github.io/wiki/Linux/ipt ... share.html
https://coolnull.com/3322.html
https://doubibackup.com/3we1qxzj-3.html

评论