tcp-proxy(iptable, rinetd, iprelay)

最後更新: 2016-11-01

 

介紹

在 Linux 上, tcp-proxy 有3個不錯而且很簡單的選擇, 分別是

它們各有好處, 以下為大家一一介紹

 


iptables

 

http://datahunter.org/proxy_iptables

 

 


simpleproxy

 

HomePage:

http://sourceforge.net/projects/simpleproxy/

安裝:

apt-get install simpleproxy

基本應用:

simpleproxy -L <[host:]port> -R <host:port>

在用選項:

-d      By default simpleproxy 是在 shell 執行的, 加上 -d 就能在背景去

透過 inetd 執行:

修改 /etc/inetd.conf, 加入以下一行

2525    stream  tcp nowait  nobody  /usr/bin/simpleproxy    simpleproxy -i -R localhost:25

作用把到本地 TCP Port 2525 的的連接射到 locahost 的 TCP Port 25

 


rinetd

 

特點:

  • single-process server
  • nonblocking I/O

安裝:

apt-get install rinetd

Compile:

wget http://xxx/rinetd.tar.gz

tar -zxf rinetd.tar.gz

cd rinetd

make

cp rinetd /usr/sbin

Troubleshoot

log

rinetd.c:176:6: warning: conflicting types for built-in function ‘log’ [enabled by default]

修改 Makefile

CFLAGS=-DLINUX -g

install -m 644 rinetd.8 /usr/man/man8

To

CFLAGS=-DLINUX -g -fno-builtin-log

install -m 644 rinetd.8 /usr/share/man/man8

應用:

/usr/sbin/rinetd [-c]

opts:

-f                                            <-- foreground

-c <configuration file>

-h, --help

-v, --version

設定: 靠修改一個很簡單的設定檔

/etc/rinetd.conf

設定檔內容如下

logfile /var/log/rinetd.log

# bindadress bindport  connectaddress connectport
0.0.0.0      8080      192.168.88.177 80

Remark

0.0.0.0 respond on all IP addresses

Example:

x.x.x.x 10025   y.y.y.y 25

修改設定檔後記得行

/etc/init.d/rinetd restart

Reload 設定:

 * without interrupting existing connections

# -1 = SIGHUP

killall -1 rinetd

P.S.

  • rinetd 是不能夠 forward FTP 的 traffic 的 (因為有兩個 port)
  • rinetd 不支援 UDP
  • 不講不知, rinetd 是有 M$ Windows 版的 !!

 


進階設定

 

ALLOW AND DENY RULES

  • Allow rules which appear before the first forwarding rule are applied globally
  • Allow rules which appear after a specific forwarding rule apply to that forwarding rule only

/etc/config/rinetd

ACL
list deny "*"               <-- 可以用 * 或是 ?
list allow "10.0.*.*"

  • new connection does not satisfy at least one of the global allow rules, that connection is immediately rejected

Log  的格式:

  • Date and time
  • Client address
  • Listening host 
  • Listening port 
  • Forwarded-to host 
  • Forwarded-to port 
  • Bytes received from client 
  • Bytes sent to client 
  • Result message

 


iprelay

 

User-space bandwidth shaping TCP proxy daemon

iprelay was written in Perl

allow this bandwidth to be changed on-the-fly

安裝

apt-get install iprelay

獲得: /usr/bin/iprelay

Usage

iprelay [ [-d ]  [-b n ]  [proxyspec ] ]

proxyspec:

local_port:remote_host:remote_port

opts:

-d            daemonises

-b n          bytes/second