Shulou(Shulou.com)06/01 Report--

A few days ago, the team leader asked me to implement a function to convert the inaccessible production machine ip+ port in the alarm email into a domain name that can be accessed in the office environment (which has been configured through port mapping). The alarm procedure is written in go language, and if you directly change the ip+ port in the go language configuration file into a domain name, the program will not run normally, but the hosts file of linux does not support the resolution of the domain name directly to the level of port mapping (by the way, windows seems to be OK, that is, hostname can be parsed into 1.2.3.4linux 1234 in the hosts file of windows).

So I probably thought of this strategy:

1. Add the domain name to the configuration of ipA in the / etc/hosts on the linux machine

two。 Find a way to redirect ipA access to port 80 to the designated port of ipA (for example, 520).

The first step is easy, but what about the second step? Use Apache port mapping function? I also installed an apache web server;, so I thought of the iptables that comes with linux.

Many friends who have built programs that require multiple machines to work together, such as rac, dg, and hadoop, should have come into contact with iptables, and it is usually iptables-F to clear the management rules and turn off the firewall. In fact, the firewall can only be said to be part of the function of iptables, it feels more accurately that iptables is a network management tool, which can not only discard or accept the network data received by the machine, but also carry out other operations such as forwarding, logging and so on.

The general structure of iptables is shown in the following picture (picture from the Internet)

Look at this picture mainly like this:

1.iptables rules can work in five places (here professionally called chain): before routing rules (prerouting), during forwarding (forward), after routing rules (postrouting), before program processing (input), and after program processing (output)

2.iptables has these three main functions (here can be called three tables, after all, the rules are recorded here like records in the database in the data table): address translation (nat), packet filtering (filter), modified package (mangle) (raw does not use much, do not understand very well, it seems to be a high priority on the Internet, can avoid nat and other rule matching to improve efficiency).

Take perrouting as an example. Here, you can modify or translate the address of the sent data packet through a series of rules matching of iptables. Take forward as an example, when you find that the destination machine is not this machine through routing table matching, you can modify or filter other packets without repeating the instructions.

Let's talk about the syntax of iptables (pictures from the Internet)

The general grammar is like this.

Iptables-t indicates which table-(An append, I insert, etc.) chain names match rule-specific actions (redirect, drop, accept, etc.)

Based on the above requirements, now I want to redirect access to port 520 when accessing port 80. Then it is possible to change the data packet accessing port 80 of the local computer into a packet accessing port 520 of the local computer during prerouting.

So execute the following command as the root user

Iptables-t nat-A PREROUTING-p tcp-- dport 80-j REDIRET-- to-port 520

This will achieve the desired effect, that is, configure the domain name in the go language, but still be able to access the correct ip+ port.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.