ITPub博客

首页 > 数据库 > Oracle > [20020226]iptables PREROUTING POSTROUTING 应用测试.txt

[20020226]iptables PREROUTING POSTROUTING 应用测试.txt

原创 Oracle 作者:lfree 时间:2020-02-27 16:04:17 0 删除 编辑

[20020226]iptables PREROUTING POSTROUTING 应用测试.txt

--//晚上看链接https://www.cyberciti.biz/faq/linux-iptables-delete-prerouting-rule-command/,灵光一线,自己什么没有想到
--//利用iptables prerouting可以实现端口重定向以及IP的重定向,测试看看。

--//比如我们生产环境,经常A访问B,B访问C,而A不能直接访问C,我以前都是使用SSH tunnnel实现这个功能A访问C。
--//这样带来的限制是仅仅我一台电脑能访问。如果实现多个A访问C呢?

1.测试环境:
client : 192.168.98.6
server : 192.168.100.78
dg:      192.168.100.40
--//注:测试一定小心小心再小心,不然可能自己都被挡在防火墙外面。不能使用生产系统的服务器做这样的测试,切记!!

2.端口重定向。
--//在服务端192.168.100.78执行:
# iptables -t nat -A PREROUTING -p tcp --dport 2222 -j REDIRECT --to-ports 1521
--//注:链接的例子使用ssh的22端口,我测试害怕出现意外,导致我无法连接服务器,故而选择别的端口测试。
--//另外缺省规则全部设置为ACCEPT.

--//client 发出:
192.168.98.6:XXX --> 192.168.100.78:2222  重定向到 192.168.100.78:1521
--//service 发出的回包:
192.168.100.78:1521 重定向到 192.168.100.78:2222 --> 192.168.98.6:XXX

--//在客户端192.168.98.6登录看看:
R:\> echo @ver1 | sqlplus -s -l scott/book@192.168.100.78:2222/book:DEDICATED
PORT_STRING                    VERSION        BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx            11.2.0.4.0     Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

--//OK,通过。这样在生产实践中没有什么意思。
--//除非比如原来配置的连接端口是2222。而现在的服务器是端口1521,底下应用不好大量改动,暂时为之。
--//注:这个语法我还第一次见到.指REDIRECT.

--//tcpdump
# tcpdump -nnn -i eth0  host 192.168.98.6  and not port 514 and not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:10:04.288211 IP 192.168.98.6.55280 > 192.168.100.78.2222: S 258337481:258337481(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
09:10:04.288402 IP 192.168.100.78.2222 > 192.168.98.6.55280: S 2476896751:2476896751(0) ack 258337482 win 14600 <mss 1460,nop,nop,sackOK,nop,wscale 7>
09:10:04.288653 IP 192.168.98.6.55280 > 192.168.100.78.2222: . ack 1 win 16425
09:10:04.288936 IP 192.168.98.6.55280 > 192.168.100.78.2222: P 1:297(296) ack 1 win 16425
09:10:04.288964 IP 192.168.100.78.2222 > 192.168.98.6.55280: . ack 297 win 123
09:10:04.312406 IP 192.168.100.78.2222 > 192.168.98.6.55280: P 1:9(8) ack 297 win 123
09:10:04.313026 IP 192.168.98.6.55280 > 192.168.100.78.2222: P 297:593(296) ack 9 win 16423
09:10:04.313140 IP 192.168.100.78.2222 > 192.168.98.6.55280: P 9:41(32) ack 593 win 131
--//看不到对1521端口的访问。

R:\> echo @ver1 | sqlplus -s -l scott/book@192.168.100.78:1521/book:DEDICATED
PORT_STRING                    VERSION        BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx            11.2.0.4.0     Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production

--//而且直接访问1521,一样ok。

3.重定向IP:
--//在服务端192.168.100.78执行:
--//首先清除前面测试的设置:
# iptables -F -t nat
# iptables -L -n -v  --line-numbers
Chain INPUT (policy ACCEPT 2986K packets, 562M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 399K packets, 59M bytes)
num   pkts bytes target     prot opt in     out     source               destination
--//注:少写了-t nat,不过前面的命令已经清除了iptables的配置。
--//在服务端192.168.100.78上先关闭监听以及数据库(步骤略)再执行如下:
$ lsnrctl stop
LSNRCTL for Linux: Version 11.2.0.4.0 - Production on 26-FEB-2020 09:07:38
Copyright (c) 1991, 2013, Oracle.  All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=0.0.0.0)(PORT=1521)))
The command completed successfully

# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 1521 -j DNAT --to-destination 192.168.100.40:1521

R:\>echo @ver1 | sqlplus -s -l scott/book@192.168.100.78:1521/bookdg:DEDICATED
^C
--//挂起!!思考..........困混....
--//遇到这种问题脑子想着网络数据包如何传输就自动有答案了,辅助使用tpcdump工具诊断,当然也需要静下心来思考..。

--//client 192.168.98.6 发出:
192.168.98.6:XXXX --> 192.168.100.78:1521 .
--//到服务端 192.168.100.78 做DNAT。
192.168.98.6:XXXX -->  192.168.100.40:1521

--//tcpdump观察结果如下:(在192.168.100.78观察)
# tcpdump -nnn -i eth0 port 1521 or host 192.168.100.40  and not port 514
09:31:54.082137 IP 192.168.98.6.53656 > 192.168.100.78.1521: S 3217747547:3217747547(0) win 8192 <mss 1460,nop,nop,sackOK>
09:31:54.082166 IP 192.168.98.6.53656 > 192.168.100.40.1521: S 3217747547:3217747547(0) win 8192 <mss 1460,nop,nop,sackOK>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--//说明已经发现了DNAT转换。

--//tcpdump观察结果如下:(在192.168.100.40观察)
# tcpdump -i eth0 -nnn host 192.168.100.78 or port 1521 and not port 514
09:32:06.496861 IP 192.168.100.40.1521 > 192.168.98.6.53656: S 28957216:28957216(0) ack 3217747548 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 7>
09:32:30.693197 IP 192.168.100.40.1521 > 192.168.98.6.53656: S 28957216:28957216(0) ack 3217747548 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 7>
09:33:18.885867 IP 192.168.100.40.1521 > 192.168.98.6.53656: S 28957216:28957216(0) ack 3217747548 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 7>
--//噢,这里就有问题了。因为这样就没有经过192.168.100.78了返回。
--//也就是必须在192.168.98.6:XXXX-->192.168.100.40:1521包出去前修改源地址192.168.98.6为192.168.100.78.
--//变成192.168.100.78.6:XXXX-->192.168.100.40:1521,这样才可能在192.168.100.40出现.
--// 192.168.100.40.1521 > 192.168.100.78.53656.
--//增加iptables规则如下:

# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 1521 -j DNAT --to-destination 192.168.100.40:1521
# iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp --dport 1521 -j SNAT --to-source 192.168.100.78
or
--//# iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 192.168.100.40 --dport 1521 -j SNAT --to-source 192.168.100.78
# iptables -L -n -v -t nat --line-numbers
Chain PREROUTING (policy ACCEPT 54020 packets, 5093K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       60  3120 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1521 to:192.168.100.40:1521

Chain INPUT (policy ACCEPT 3925 packets, 461K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 554 packets, 33347 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 561 packets, 33703 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       54  2808 SNAT       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:1521 to:192.168.100.78

R:\>echo @ver1 | sqlplus -s -l scott/book@192.168.100.78:1521/bookdg:DEDICATED
ERROR:
ORA-28032: Your password has expired and the database is set to read-only
SP2-0751: Unable to connect to Oracle.  Exiting SQL*Plus
--//实际上已经登陆成功,我的dg很久不同步了,口令已经expired。换一个用户看看。

R:\>echo @ver1 |sqlplus -s -l sys/oracle@192.168.100.78:1521/bookdg:DEDICATED as sysdba
PORT_STRING                    VERSION        BANNER
------------------------------ -------------- --------------------------------------------------------------------------------
x86_64/Linux 2.4.xx            11.2.0.4.0     Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
--//OK.

D:\notes> sqlplus  sys/oracle@192.168.100.78:1521/bookdg:DEDICATED as sysdba
SQL*Plus: Release 12.2.0.1.0 Production on Wed Feb 26 09:56:44 2020
Copyright (c) 1982, 2016, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SYS@192.168.100.78:1521/bookdg:DEDICATED>
--//注意看前面的SQL的提示。

R:\>sqlplus -s -l sys/oracle@192.168.100.78:1521/bookdg:DEDICATED as sysdba
select sysdate from dual ;
SYSDATE
------------
2020-02-26 0

select sysdate from dual ;
SYSDATE
-------------------
2020-02-26 09:43:11
--//^_^,12c sqlplus的bug,第一次执行显示日期不对,第2次ok.
--//看链接:http://blog.itpub.net/267265/viewspace-2561490/=>[20190116]诡异的问题2.txt
--//我不知道这个算不算所谓的数据库"劫持",不会有人在主库破环的情况下,采用这样方式切换dg当正式库使用吧。

4.继续测试:
--//在192.168.100.78上启动监听以及数据库(略)。
D:\notes>sqlplus -s -l scott/book@192.168.100.78:1521/book
ERROR:
ORA-28032: Your password has expired and the database is set to read-only
SP2-0751: Unable to connect to Oracle.  Exiting SQL*Plus
--//视乎连接上dg,但是服务名不对啊。噢。我dg上服务名没修改。

SYS@bookdg> show parameter name
NAME                   TYPE    VALUE
---------------------- ------- ------------------------------------
cell_offloadgroup_name string
db_file_name_convert   string  /mnt/ramdisk/book, /mnt/ramdisk/book
db_name                string  BOOK
db_unique_name         string  bookdg
global_names           boolean FALSE
instance_name          string  bookdg
lock_name_space        string
log_file_name_convert  string  /mnt/ramdisk/book, /mnt/ramdisk/book
processor_group_name   string
service_names          string  book
--//注意service_names=book.也就是使用service_names=book也能脸上dg.

D:\notes>sqlplus -s -l scott/book@192.168.100.78:1521/book1
ERROR:
ORA-12514: TNS:listener does not currently know of service requested in connect
descriptor
SP2-0751: Unable to connect to Oracle.  Exiting SQL*Plus

D:\> sqlplus  sys/oracle@192.168.100.78:1521/book:DEDICATED as sysdba
SYS@192.168.100.78:1521/book:DEDICATED> select DATABASE_ROLE from v$database ;
DATABASE_ROLE
----------------
PHYSICAL STANDBY

D:\> sqlplus  sys/oracle@192.168.100.78:1521/bookdg:DEDICATED as sysdba
SYS@192.168.100.78:1521/bookdg:DEDICATED> select DATABASE_ROLE from v$database ;
DATABASE_ROLE
----------------
PHYSICAL STANDBY
--//说明连接的是dg库,ip=192.168.100.40

SYS@192.168.100.78:1521/bookdg:DEDICATED> SELECT NVL (SYS_CONTEXT ('userenv', 'ip_address'), '127.0.0.1') c20 from dual ;
C20
--------------------
192.168.100.78
--//你可以发现查询获得IP是192.168.100.78,而不是我的客户端IP=192.168.98.6.
--//也就是即使我打开服务端1521端口,因为iptable的规则在PREROUTING链中,首先起作用,根本不会访问192.168.100.78的数据库.

iptables -t nat -F
iptables -t nat -A PREROUTING  -i eth0 -p tcp -m tcp --dport 1521 -j DNAT --to-destination 192.168.100.40:1521
iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp --dport 1521 -j SNAT --to-source 192.168.100.78
--//实现所谓的数据库"劫持".

5.继续测试:
--//假设我现在想2个数据库都要访问,如何实现呢?重新定义一个新端口15210.
iptables -t nat -F
iptables -t nat -A PREROUTING  -i eth0 -p tcp -m tcp --dport 15210 -j DNAT --to-destination 192.168.100.40:1521
iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp --dport 15210 -j SNAT --to-source 192.168.100.78

# iptables -L -n -v -t nat --line-numbers
Chain PREROUTING (policy ACCEPT 57507 packets, 5415K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:15210 to:192.168.100.40:1521

Chain INPUT (policy ACCEPT 4118 packets, 484K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 617 packets, 37127 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 624 packets, 37483 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 SNAT       tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           tcp dpt:15210 to:192.168.100.78


D:\notes>sqlplus -s -l   sys/oracle@192.168.100.78:15210/bookdg:DEDICATED as sysdba
^C
--//再次挂起,有点得意忘形了^_^。如果在dg 192.168.100.40使用tcpdump看:
# tcpdump -i eth0 -nnn host 192.168.100.78 or port 1521 and not port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:04:33.615191 IP 192.168.98.6.58758 > 192.168.100.40.1521: S 3948887925:3948887925(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
11:04:33.615214 IP 192.168.100.40.1521 > 192.168.98.6.58758: S 1596256405:1596256405(0) ack 3948887926 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 7>
11:04:34.509034 IP 192.168.100.40.1521 > 192.168.98.6.58758: S 1596256405:1596256405(0) ack 3948887926 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 7>
--//注意看还是不行,实际上上面的规则SNAT 的dport端口不是15210,而是1521才对。
--//以下是192.168.100.78看到的情况,dnat已经起作用。
# tcpdump -nnn -i eth0 port 15210 or host 192.168.100.40  and not port 514
11:05:04.944946 IP 192.168.98.6.58792 > 192.168.100.78.15210: S 3205587175:3205587175(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
11:05:04.944980 IP 192.168.98.6.58792 > 192.168.100.40.1521: S 3205587175:3205587175(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>

--//修改iptables如下:
iptables -t nat -F
iptables -t nat -A PREROUTING  -i eth0 -p tcp -m tcp --dport 15210 -j DNAT --to-destination 192.168.100.40:1521
iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp --dport 1521 -j SNAT --to-source 192.168.100.78

D:\notes>echo select sysdate,DATABASE_ROLE from v$database ; | sqlplus -s -l  sys/oracle@192.168.100.78:15210/bookdg:DEDICATED as sysdba
SYSDATE      DATABASE_ROLE
------------ ----------------
2020-02-26 1 PHYSICAL STANDBY

D:\notes>echo select sysdate,DATABASE_ROLE from v$database ; | sqlplus -s -l  sys/oracle@192.168.100.78:1521/book:DEDICATED as sysdba
SYSDATE      DATABASE_ROLE
------------ ----------------
2020-02-26 1 PRIMARY
--//OK,这样就实现通过端口15210访问192.168.100.40.

总结:
--//好久不搞网络了,有一些生疏。不过最后还是完成了测试,题目应该修改为
--//iptables PREROUTING POSTROUTING应用测试.txt,准确将上面写的规则有点问题,应该写成如下以适应不同端口的情况,便于加入多个
--//主机:
iptables -t nat -F
iptables -t nat -A PREROUTING  -i eth0 -p tcp -m tcp -d 192.168.100.78 --dport 15210 -j DNAT --to-destination 192.168.100.40:1521
iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 192.168.100.40 --dport 1521  -j SNAT --to-source 192.168.100.78

--//补充这种情况下tcpdump的观察结果:
--//tcpdump观察结果如下:(在192.168.100.78观察)
# tcpdump -nnn -i eth0 port 15210 or host 192.168.100.40  and not port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:05:50.848753 IP 192.168.98.6.55044 > 192.168.100.78.15210: S 3035628563:3035628563(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
09:05:50.848981 IP 192.168.100.78.55044 > 192.168.100.40.1521: S 3035628563:3035628563(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SNAT 和 DNAT 都起作用。
09:05:50.848848 IP 192.168.100.40.1521 > 192.168.100.78.55044: S 3715000810:3715000810(0) ack 3035628564 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 7>
09:05:50.848880 IP 192.168.100.78.15210 > 192.168.98.6.55044: S 3715000810:3715000810(0) ack 3035628564 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 7>

--//tcpdump观察结果如下:(在192.168.100.40观察)
# tcpdump -i eth0 -nnn host 192.168.100.78 or port 1521 and not port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:05:50.854782 IP 192.168.100.78.55044 > 192.168.100.40.1521: S 3035628563:3035628563(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
09:05:50.854901 IP 192.168.100.40.1521 > 192.168.100.78.55044: S 3715000810:3715000810(0) ack 3035628564 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 7>
09:05:50.855345 IP 192.168.100.78.55044 > 192.168.100.40.1521: . ack 1 win 16425
09:05:50.864963 IP 192.168.100.78.55044 > 192.168.100.40.1521: P 1:300(299) ack 1 win 16425
09:05:50.864981 IP 192.168.100.40.1521 > 192.168.100.78.55044: . ack 300 win 54
09:05:50.906358 IP 192.168.100.40.1521 > 192.168.100.78.55044: P 1:9(8) ack 300 win 54

--//实际上还可以做的更灵活,比如使用不同的dport端口映射不同的服务器.明天继续测试。

iptables -t nat -F
iptables -t nat -A PREROUTING  -i eth0 -p tcp -m tcp -d 192.168.100.78 --dport 10040 -j DNAT --to-destination 192.168.100.40:1521
iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp -d 192.168.100.40 --dport 1521 -j SNAT --to-source 192.168.100.78

--//有点长,明天另外写一篇blog。

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/267265/viewspace-2677498/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论
熟悉oracle相关技术,擅长sql优化,rman备份与恢复,熟悉linux shell编程。

注册时间:2008-01-03

  • 博文量
    2673
  • 访问量
    6431503