tcp-proxy(iptable, rinetd, iprelay)

最後更新: 2016-11-01

 

介紹

在 Linux 上, tcp-proxy 有3個不錯而且很簡單的選擇, 分別是

它們各有好處, 以下為大家一一介紹

 


iptables

 

http://datahunter.org/proxy_iptables

 

 


simpleproxy

 

HomePage:

http://sourceforge.net/projects/simpleproxy/

安裝:

apt-get install simpleproxy

基本應用:

simpleproxy -L <[host:]port> -R <host:port>

在用選項:

-d      By default simpleproxy 是在 shell 執行的, 加上 -d 就能在背景去

透過 inetd 執行:

修改 /etc/inetd.conf, 加入以下一行

2525    stream  tcp nowait  nobody  /usr/bin/simpleproxy    simpleproxy -i -R localhost:25

作用把到本地 TCP Port 2525 的的連接射到 locahost 的 TCP Port 25

 


rinetd

 

特點:

  • single-process server
  • nonblocking I/O

安裝:

apt-get install rinetd

Compile:

# Source: https://github.com/samhocevar/rinetd

wget https://github.com/samhocevar/rinetd/releases/download/v0.73/rinetd-0.73...

tar -zxf rinetd-0.73.tar.gz

cd rinetd-0.73

yum install gcc

./configure

make

cp rinetd /usr/sbin

Troubleshoot

log

rinetd.c:176:6: warning: conflicting types for built-in function ‘log’ [enabled by default]

修改 Makefile

CFLAGS=-DLINUX -g

install -m 644 rinetd.8 /usr/man/man8

To

CFLAGS=-DLINUX -g -fno-builtin-log

install -m 644 rinetd.8 /usr/share/man/man8

應用:

/usr/sbin/rinetd [-c]

opts:

  • -f                                            # foreground
  • -c config_file
  • -h, --help
  • -v, --version

設定: 靠修改一個很簡單的設定檔

/etc/rinetd.conf

設定檔內容如下

logfile /var/log/rinetd.log

# bindadress bindport  connectaddress connectport
0.0.0.0      8080      192.168.88.177 80

Remark

0.0.0.0 respond on all IP addresses

Example:

x.x.x.x 10025   y.y.y.y 25

修改設定檔後記得行

/etc/init.d/rinetd restart

Reload 設定:

 * without interrupting existing connections

# -1 = SIGHUP

killall -1 rinetd

P.S.

  • rinetd 是不能夠 forward FTP 的 traffic 的 (因為有兩個 port)
  • rinetd 不支援 UDP
  • 不講不知, rinetd 是有 M$ Windows 版的 !!

 

rinetd 進階設定

 

ACL: allow AND deny Rules

  • Allow rules which appear before the first forwarding rule are applied globally
  • Allow rules which appear after a specific forwarding rule apply to that forwarding rule only

/etc/config/rinetd

# 可以用 * 或是 ?
allow 192.168.0.*
deny 192.168.0.1
  • new connection does not satisfy at least one of the global allow rules
     => that connection is immediately rejected
  • deny 優於 allow
# 測試
deny 192.168.0.1
allow 192.168.0.1
#deny 192.168.0.1
Log  的格式:
 
Setting
logfile /var/log/rinetd.log

Log

01/Jun/2021:16:40:22 127.0.0.1 0.0.0.0 3306 192.168.28.41 3306 0 0 denied
  • Date and time
  • Client address
  • Listening host 
  • Listening port 
  • Forwarded-to host 
  • Forwarded-to port 
  • Bytes received from client 
  • Bytes sent to client 
  • Result message

 


iprelay

 

User-space bandwidth shaping TCP proxy daemon

iprelay was written in Perl

allow this bandwidth to be changed on-the-fly

安裝

apt-get install iprelay

獲得: /usr/bin/iprelay

Usage

iprelay [ [-d ]  [-b n ]  [proxyspec ] ]

proxyspec:

local_port:remote_host:remote_port

opts:

-d            daemonises

-b n          bytes/second