Inline on ATS Linux routers

Source: Internet
Author: User
Tags iptables server port

The routing settings assume that the client set is on a different network behind a single physical interface. For the purposes of this example, we will assume that:

Client located on 172.28.56.0/24 network
Routers connect networks 172.28.56.0/24 and 192.168.1.0/24
Interface eth0 on the network 192.168.1.0/24
Interface eth1 on the network 172.28.56.0/24
The router is configured to correctly route traffic for the client.

In this example, we will intercept the port (HTTP) traffic that traverses the router. The first step is to use iptables to
Handle IP packets appropriately.

# Reflow Client Web traffic to Tproxy
Iptables-t mangle-a prerouting-i eth1-p tcp-m tcp--dport 80-j tproxy \
--on-ip 0.0.0.0--on-port 8080--tproxy-mark 1/1
# let locally directed traffic pass through.
Iptables-t mangle-a prerouting-i eth0--source 192.168.1.0/24-j ACCEPT
Iptables-t mangle-a prerouting-i eth0--destination 192.168.1.0/24-j ACCEPT
# Mark presumed return web traffic
Iptables-t mangle-a prerouting-i eth0-p tcp-m tcp--sport 80-j MARK--set-mark 1/1

We tag the packets so that we can use Policy routing on them. For inbound packets, we use Tproxy to accept packets sent to the external IP address. For a return outbound packet, there will be a socket open bound to an external address, and we just need to force it to be passed locally. The value of--ON-IP is 0 because the destination port is listening and is not bound to a specific address. The value of the--on-port must match the traffic server server port. Otherwise, its value is arbitrary. --dport and--sport Specify the port from the perspective of the client and source server. Two lines in the middle exempt local web traffic from being marked as traffic Server-these rules can be tightened or relaxed as needed. They are serviced by matching traffic and exiting iptables processing through accept before checking the last line.

Once the stream is marked, we can force them to pass through the loopback interface locally through the Policy Routing table.
IP rule Add fwmark 1/1 table 1
IP route add local 0.0.0.0/0 dev Lo table 1

The token used is arbitrary, but it must be consistent between the iptables and the routing rules.

Modify Records.config
Proxy.config.http.server_ports
STRING Default:value from--on-port
Proxy.config.reverse_proxy.enabled
INT default:1
Proxy.config.url_remap.remap_required
INT default:0

Inline on ATS Linux routers

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.