最後更新: 2016-11-01

 

介紹

在 Linux 上, tcp-proxy 有3個不錯而且很簡單的選擇, 分別是

• iptables (kernel)
• simpleproxy (C)
• rinitd (C)
• iprelay (Perl)

它們各有好處, 以下為大家一一介紹

 

---

iptables

 

http://datahunter.org/proxy_iptables

 

 

---

simpleproxy

 

HomePage:

http://sourceforge.net/projects/simpleproxy/

安裝:

apt-get install simpleproxy

基本應用:

simpleproxy -L <[host:]port> -R <host:port>

在用選項:

-d      By default simpleproxy 是在 shell 執行的, 加上 -d 就能在背景去

透過 inetd 執行:

修改 /etc/inetd.conf, 加入以下一行

2525    stream  tcp nowait  nobody  /usr/bin/simpleproxy    simpleproxy -i -R localhost:25

作用把到本地 TCP Port 2525 的的連接射到 locahost 的 TCP Port 25

 

---

rinetd

 

特點:

• single-process server
• nonblocking I/O

安裝:

apt-get install rinetd

Compile:

# Source: https://github.com/samhocevar/rinetd

wget https://github.com/samhocevar/rinetd/releases/download/v0.73/rinetd-0.73...

tar -zxf rinetd-0.73.tar.gz

cd rinetd-0.73

yum install gcc

./configure

make

cp rinetd /usr/sbin

Troubleshoot

log

rinetd.c:176:6: warning: conflicting types for built-in function ‘log’ [enabled by default]

修改 Makefile

CFLAGS=-DLINUX -g

install -m 644 rinetd.8 /usr/man/man8

To

CFLAGS=-DLINUX -g -fno-builtin-log

install -m 644 rinetd.8 /usr/share/man/man8

應用:

/usr/sbin/rinetd [-c]

opts:

• -f                                            # foreground
• -c config_file
• -h, --help
• -v, --version

設定: 靠修改一個很簡單的設定檔

/etc/rinetd.conf

設定檔內容如下

logfile /var/log/rinetd.log

# bindadress bindport  connectaddress connectport
0.0.0.0      8080      192.168.88.177 80

Remark

0.0.0.0 respond on all IP addresses

Example:

x.x.x.x 10025   y.y.y.y 25

修改設定檔後記得行

/etc/init.d/rinetd restart

Reload 設定:

 * without interrupting existing connections

# -1 = SIGHUP

killall -1 rinetd

P.S.

• rinetd 是不能夠 forward FTP 的 traffic 的 (因為有兩個 port)
• rinetd 不支援 UDP
• 不講不知, rinetd 是有 M$ Windows 版的 !!

 

rinetd 進階設定

 

ACL: allow AND deny Rules

• Allow rules which appear before the first forwarding rule are applied globally
• Allow rules which appear after a specific forwarding rule apply to that forwarding rule only

/etc/config/rinetd

# 可以用 * 或是 ?
allow 192.168.0.*
deny 192.168.0.1

• new connection does not satisfy at least one of the global allow rules
   => that connection is immediately rejected
• deny 優於 allow

# 測試
deny 192.168.0.1
allow 192.168.0.1
#deny 192.168.0.1

logfile /var/log/rinetd.log

Log

01/Jun/2021:16:40:22 127.0.0.1 0.0.0.0 3306 192.168.28.41 3306 0 0 denied

• Date and time
• Client address
• Listening host 
• Listening port 
• Forwarded-to host 
• Forwarded-to port 
• Bytes received from client 
• Bytes sent to client 
• Result message

 

---

iprelay

 

User-space bandwidth shaping TCP proxy daemon

iprelay was written in Perl

allow this bandwidth to be changed on-the-fly

安裝

apt-get install iprelay

獲得: /usr/bin/iprelay

Usage

iprelay [ [-d ]  [-b n ]  [proxyspec ] ]

proxyspec:

local_port:remote_host:remote_port

opts:

-d            daemonises

-b n          bytes/second
 

---