0x00 概述
某些应用做了负载均衡,将 https 443 和 syslog 514 映射出去。但是由于linux某些账户无法在1000以下的端口启动服务,所以应用默认在单个node节点启动的端口可能是大于1000的,例如1443 和 1514,这就需要在负载上配置 域名:443 指向应用 node:1443 或者 域名:443 指向node:443,再通过node本地端口转发将443流量转发到1443。
本文对主要介绍如何利用本地墙做本地端口转发,即使iptables关闭也生效。
0x00 实践
对没做端口转发机器端口扫描:
nmap -vv 10.111.10.11 -sU -p 1514,514
PORT STATE SERVICE REASON
514/udp closed syslog port-unreach ttl 61
1514/udp open|filtered fujitsu-dtcns no-response
手动添加端口转发
配置开机自动加载端口转发
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 1514
iptables-save > /etc/iptable.v4
vi /etc/systemd/system/portmap.service
Unit
Description=portmap rules
DefaultDependencies=no
After=network.service
Service
Type=oneshot
ExecStart=/bin/bash -c '/sbin/iptables-restore < /etc/iptable.v4'
RemainAfterExit=yes
Install
WantedBy=multi-user.target
配置开机自启动(即使防火墙关闭也不受影响)
systemctl daemon-reload && systemctl enable portmap.service
在10.111.10.11 检查端口映射:
iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 164M packets, 10G bytes)
pkts bytes target prot opt in out source destination
20M 14G REDIRECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:514 redir ports 1514
Chain INPUT (policy ACCEPT 183M packets, 24G bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 60M packets, 3616M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 60M packets, 3616M bytes)
pkts bytes target prot opt in out source destination
对做好端口转发机器端口扫描:
nmap -vv 10.111.10.11 -sU -p 1514,514
PORT STATE SERVICE REASON
514/udp open|filtered syslog no-response
1514/udp open|filtered fujitsu-dtcns no-response
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.58 seconds
Raw packets sent: 8 (264B) | Rcvd: 1 (40B)
同理,配置1443端口转发:
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 1443
iptables -t nat -L -n -v