如何通过iptables将http请求从A服务器转发到B服务器

3.1、首先，确保A服务器上启用了IP转发功能。可以通过运行以下命令来检查：
3.2、在A服务器上设置iptables规则来将HTTP请求转发到B服务器。可以使用以下命令：
3.3、确保A服务器上的防火墙允许通过转发的流量。可以使用以下命令来允许转发的流量：
3.4、根据前三小节描述，以及docker-compose.yml中的ip分配，和http服务中的端口号，需要执行的命令：

4、验证效果

4.1、在服务器B(work2容器)运行http服务。
4.2、在终端(work0)请求服务器A
4.3、在终端(work0)查看相应数据
4.4、查看服务器A的tcpdump

5 版本信息

1、准备服务器、终端

使用docker的容器来模拟所需的服务器、终端。dockerfile如下：

FROM centos:centos7 as iptables-test
RUN yum install -y iptables-services && yum install -y tcpdump

docker-compose.yml如下：

version: \”2.7\”
services:
work0:
build: .
hostname: work0
container_name: work0
privileged: true
tty: true
networks:
default:
ipv4_address: 172.24.25.15
work1:
build: .
hostname: work1
container_name: work1
privileged: true
tty: true
networks:
default:
ipv4_address: 172.24.25.16
work2:
build: .
hostname: work2
container_name: work2
privileged: true
tty: true
networks:
default:
ipv4_address: 172.24.25.17
networks:
default:
external:
name: network-public

网络的设置参考如下（也可以按照自己已有的网络设置）：

docker network create –driver bridge –subnet 172.24.25.0/24 –gateway 172.24.25.1 network-public

针对docker-compose.yml中三个容器的解释：

work0充当终端
work1充当服务器A
work2充当服务器B

2、准备一个http服务

package main
import (
\”fmt\”
\”net/http\”
\”os\”
\”os/signal\”
\”time\”
)
func main() {
mux := http.NewServeMux()
mux.HandleFunc(\”/hello\”, HelloWorld)
server := &http.Server{
Addr: \”:22345\”,
WriteTimeout: time.Second * 10,
Handler: mux,
}
err := server.ListenAndServe()
if err != nil {
if err == http.ErrServerClosed {
fmt.Println(\”Server closed under request\”)
} else {
fmt.Println(\”Server closed unexpected\”, err)
}
}
// 平滑退出
quit := make(chan os.Signal, 1)
signal.Notify(quit, os.Interrupt)
go func() {
<-quit // 接收到退出信号
if err = server.Close(); err != nil {
fmt.Println(\”close service:\”, err)
}
}()
}
func HelloWorld(w http.ResponseWriter, r *http.Request) {
t := time.Now().Format(\”2006-01-02 15:04:05\”)
s := fmt.Sprintf(\”当前时间: %s\\n\”, t)
w.Write([]byte(s))
}

编译后上传到服务器B，即work2容器的 /tmp 目录。假设编译后的包名为： http-service 。

3、设置服务器的iptables

3.1、首先，确保A服务器上启用了IP转发功能。可以通过运行以下命令来检查：

sysctl net.ipv4.ip_forward

如果返回值为1，则表示IP转发已启用。如果返回值为0，则需要将其启用。可以通过编辑 /etc/sysctl.conf 文件并将 net.ipv4.ip_forward 设置为1来永久启用IP转发。

3.2、在A服务器上设置iptables规则来将HTTP请求转发到B服务器。可以使用以下命令：

iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination <B服务器的IP地址>:80
iptables -t nat -A POSTROUTING -p tcp -d <B服务器的IP地址> –dport 80 -j SNAT –to-source <A服务器的IP地址>

这些规则将在 nat 表中添加两条规则。第一条规则将目标端口为80的TCP流量重定向到B服务器的IP地址和端口80。第二条规则将响应流量的源IP地址更改为A服务器的IP地址。

3.3、确保A服务器上的防火墙允许通过转发的流量。可以使用以下命令来允许转发的流量：

iptables -A FORWARD -p tcp -d <B服务器的IP地址> –dport 80 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -s <B服务器的IP地址> –sport 80 -m state –state ESTABLISHED,RELATED -j ACCEPT

3.4、根据前三小节描述，以及docker-compose.yml中的ip分配，和http服务中的端口号，需要执行的命令：

iptables -t nat -A PREROUTING -p tcp –dport 22345 -j DNAT –to-destination 172.24.25.17:22345
iptables -t nat -A POSTROUTING -p tcp -d 172.24.25.17 –dport 22345 -j SNAT –to-source 172.24.25.16
iptables -A FORWARD -p tcp -d 172.24.25.17 –dport 22345 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -s 172.24.25.17 –sport 22345 -m state –state ESTABLISHED,RELATED -j ACCEPT

4、验证效果

4.1、在服务器B(work2容器)运行http服务。

cd /tmp && ./http-service

4.2、在终端(work0)请求服务器A

curl 172.24.25.16:22345/hello

4.3、在终端(work0)查看相应数据

[root@work0 tmp]# curl 172.24.25.16:22345/hello
当前时间: 2023-08-17 06:43:03

4.4、查看服务器A的tcpdump

[root@work1 tmp]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:43:03.154012 IP work0.network-public.48936 > work1.22345: Flags [S], seq 2220603025, win 64240, options [mss 1460,sackOK,TS val 3194673893 ecr 0,nop,wscale 7], length 0
06:43:03.154157 IP work1.48936 > work2.network-public.22345: Flags [S], seq 2220603025, win 64240, options [mss 1460,sackOK,TS val 3194673893 ecr 0,nop,wscale 7], length 0
06:43:03.154185 IP work1.48936 > work2.network-public.22345: Flags [S], seq 2220603025, win 64240, options [mss 1460,sackOK,TS val 3194673893 ecr 0,nop,wscale 7], length 0
06:43:03.154305 IP work2.network-public.22345 > work1.48936: Flags [S.], seq 578213404, ack 2220603026, win 65160, options [mss 1460,sackOK,TS val 2378678745 ecr 3194673893,nop,wscale 7], length 0
06:43:03.154326 IP work1.22345 > work0.network-public.48936: Flags [S.], seq 578213404, ack 2220603026, win 65160, options [mss 1460,sackOK,TS val 2378678745 ecr 3194673893,nop,wscale 7], length 0
06:43:03.154339 IP work0.network-public.48936 > work1.22345: Flags [.], ack 1, win 502, options [nop,nop,TS val 3194673894 ecr 2378678745], length 0
06:43:03.154341 IP work1.48936 > work2.network-public.22345: Flags [.], ack 1, win 502, options [nop,nop,TS val 3194673894 ecr 2378678745], length 0
06:43:03.154516 IP work0.network-public.48936 > work1.22345: Flags [P.], seq 1:88, ack 1, win 502, options [nop,nop,TS val 3194673894 ecr 2378678745], length 87
06:43:03.154521 IP work1.48936 > work2.network-public.22345: Flags [P.], seq 1:88, ack 1, win 502, options [nop,nop,TS val 3194673894 ecr 2378678745], length 87
06:43:03.154529 IP work2.network-public.22345 > work1.48936: Flags [.], ack 88, win 509, options [nop,nop,TS val 2378678745 ecr 3194673894], length 0
06:43:03.154531 IP work1.22345 > work0.network-public.48936: Flags [.], ack 88, win 509, options [nop,nop,TS val 2378678745 ecr 3194673894], length 0
06:43:03.154943 IP work2.network-public.22345 > work1.48936: Flags [P.], seq 1:152, ack 88, win 509, options [nop,nop,TS val 2378678745 ecr 3194673894], length 151
06:43:03.154950 IP work1.22345 > work0.network-public.48936: Flags [P.], seq 1:152, ack 88, win 509, options [nop,nop,TS val 2378678745 ecr 3194673894], length 151
06:43:03.154997 IP work0.network-public.48936 > work1.22345: Flags [.], ack 152, win 501, options [nop,nop,TS val 3194673894 ecr 2378678745], length 0
06:43:03.155002 IP work1.48936 > work2.network-public.22345: Flags [.], ack 152, win 501, options [nop,nop,TS val 3194673894 ecr 2378678745], length 0
06:43:03.155159 IP work0.network-public.48936 > work1.22345: Flags [F.], seq 88, ack 152, win 501, options [nop,nop,TS val 3194673894 ecr 2378678745], length 0
06:43:03.155166 IP work1.48936 > work2.network-public.22345: Flags [F.], seq 88, ack 152, win 501, options [nop,nop,TS val 3194673894 ecr 2378678745], length 0
06:43:03.155247 IP work2.network-public.22345 > work1.48936: Flags [F.], seq 152, ack 89, win 509, options [nop,nop,TS val 2378678745 ecr 3194673894], length 0
06:43:03.155255 IP work1.22345 > work0.network-public.48936: Flags [F.], seq 152, ack 89, win 509, options [nop,nop,TS val 2378678745 ecr 3194673894], length 0
06:43:03.155350 IP work0.network-public.48936 > work1.22345: Flags [.], ack 153, win 501, options [nop,nop,TS val 3194673895 ecr 2378678745], length 0
06:43:03.155354 IP work1.48936 > work2.network-public.22345: Flags [.], ack 153, win 501, options [nop,nop,TS val 3194673895 ecr 2378678745], length 0

5 版本信息

[root@work1 tmp]# iptables –version
iptables v1.4.21
[root@work1 tmp]# cat /etc/*release
CentOS Linux release 7.9.2009 (Core)
NAME=\”CentOS Linux\”
VERSION=\”7 (Core)\”
ID=\”centos\”
ID_LIKE=\”rhel fedora\”
VERSION_ID=\”7\”
PRETTY_NAME=\”CentOS Linux 7 (Core)\”
ANSI_COLOR=\”0;31\”
CPE_NAME=\”cpe:/o:centos:centos:7\”
HOME_URL=\”https://www.centos.org/\”
BUG_REPORT_URL=\”https://bugs.centos.org/\”
CENTOS_MANTISBT_PROJECT=\”CentOS-7\”
CENTOS_MANTISBT_PROJECT_VERSION=\”7\”
REDHAT_SUPPORT_PRODUCT=\”centos\”
REDHAT_SUPPORT_PRODUCT_VERSION=\”7\”
CentOS Linux release 7.9.2009 (Core)
CentOS Linux release 7.9.2009 (Core)