问题描述
我有一个关于用TEE选项iptables流量镜像的问题。主要目标是将服务器A(端口1935)上的所有服务流量复制到在同一端口(端口1935)上在服务器B上运行的同一服务。例如:
如果我开始流视频到192.168.0.200:1935 - 视频应该在两个服务器上(在192.168.0.201:1935和192.168.0.200:1935)。
Google指向iptables -TEE选项。我尝试在Ubuntu上使用它:
SERV A -192.168.0.200
SERV B -192.168.0.201
在SERV A(192.168.0.200) )我在端口1935上为入站流量添加镜像:
root @ ubuntu_200:〜#iptables -t mangle -A PREROUTING -p tcp --dport 1935 -d 192.168.0.200 -j TEE --gateway 192.168.0.201
而且现在在SERV B(192.168.0.201)接口上获得了所有软件包。
root @ ubuntu_201:〜#tcpdump'tcp port 1935'
tcpdump:禁止详细输出,使用-v或-vv进行全协议解码
监听eth0,链接类型EN10MB(以太网),捕获大小65535字节
18:14:47.503241 IP 192.168.0.10.49984> 192.168.0.200.1935:标志[S],seq 3961116317,win 8192,options [mss 1460,nop,wscale 2,nop,nop,sackOK],length 0
18:14:47.503258 IP 192.168.0.10。 49985> 192.168.0.200.1935:标志[S],seq 1849647427,win 8192,options [mss 1460,nop,wscale 2,nop,nop,sackOK],length 0
18:14:47.752702 IP 192.168.0.10。 49986> 192.168.0.200.1935:标志[S],seq 3102326921,win 8192,options [mss 1460,nop,wscale 2,nop,nop,sackOK],length 0
18:14:47.999309 IP 192.168.0.10。 49984> 192.168.0.200.1935:标志[S],seq 3961116317,win 8192,options [mss 1460,nop,wscale 2,nop,nop,sackOK],length 0
18:14:48.008983 IP 192.168.0.10。 49985> 192.168.0.200.1935:标志[S],seq 1849647427,win 8192,options [mss 1460,nop,wscale 2,nop,nop,sackOK],length 0
18:14:48.253066 IP 192.168.0.10。 49986> 192.168.0.200.1935:标志[S],seq 3102326921,win 8192,options [mss 1460,nop,wscale 2,nop,nop,sackOK],length 0
18:14:48.499660 IP 192.168.0.10。 49984> 192.168.0.200.1935:标志[S],seq 3961116317,win 8192,options [mss 1460,nop,nop,sackOK],length 0
18:14:48.508964 IP 192.168.0.10.49985> 192.168.0.200.1935:[S],seq 1849647427,win 8192,options [mss 1460,nop,nop,sackOK],length 0
18:14:48.751863 IP 192.168.0.10.49986> 192.168.0.200.1935:标志[S],seq 3102326921,win 8192,options [mss 1460,nop,nop,sackOK],length 0
如您所见,我在第二个服务器接口上获得所有流量,但目标IP为SERV A(192.168.0.200)。现在我需要将此流量路由到1935年的端口服务。我尝试在SERV B上添加规则:
iptables - t nat -A PREROUTING -p tcp --dport 1935 -d 192.168.0.200 -j DNAT - 目的地192.168.0.201:1935
还尝试重定向和转发 - 但没有使其正常工作...没有视频SERV B端口1935.
有人可以指向正确的方向吗?
如前所述:我需要在端口1935的两台服务器上看到视频流。发布只在SERV A上,但视频应该在两者上。
任何建议都会很高兴。
谢谢。
我认为这样做是不可能的。
似乎您正在使用TEE进行TCP流量。
TCP是一种有状态协议(与UDP不同),它需要用户端计算机参与连接的每一步,它将不能与两个单独的客户端尝试与一个服务器通信。
其他替代方案:
- 使用UDP流式(当然,您必须更改服务器,客户端和iptable规则)。
- 使用某种的TCP代理,它从一方接受TCP视频流(或透明地拦截它),另一方面对多个客户端打开2(或更多)不同的TCP会话。
也许这可以帮助这里:
I have a question about mirrored with TEE option iptables traffic. The main goal is to copy all traffic for service on server A (port 1935) to same service running on server B on same port (port 1935).For example:If I start streaming video to 192.168.0.200:1935 - video should be be on both servers (on 192.168.0.201:1935 and on 192.168.0.200:1935).Google point me to iptables -TEE option. I try to use it on Ubuntu:SERV A -192.168.0.200SERV B -192.168.0.201
On SERV A (192.168.0.200) I add mirroring for incoming traffic on port 1935:
root@ubuntu_200:~# iptables -t mangle -A PREROUTING -p tcp --dport 1935 -d 192.168.0.200 -j TEE --gateway 192.168.0.201
And I got all packages on SERV B (192.168.0.201) interface now.
root@ubuntu_201:~# tcpdump 'tcp port 1935'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
18:14:47.503241 IP 192.168.0.10.49984 > 192.168.0.200.1935: Flags [S], seq 3961116317, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:14:47.503258 IP 192.168.0.10.49985 > 192.168.0.200.1935: Flags [S], seq 1849647427, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:14:47.752702 IP 192.168.0.10.49986 > 192.168.0.200.1935: Flags [S], seq 3102326921, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:14:47.999309 IP 192.168.0.10.49984 > 192.168.0.200.1935: Flags [S], seq 3961116317, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:14:48.008983 IP 192.168.0.10.49985 > 192.168.0.200.1935: Flags [S], seq 1849647427, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:14:48.253066 IP 192.168.0.10.49986 > 192.168.0.200.1935: Flags [S], seq 3102326921, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
18:14:48.499660 IP 192.168.0.10.49984 > 192.168.0.200.1935: Flags [S], seq 3961116317, win 8192, options [mss 1460,nop,nop,sackOK], length 0
18:14:48.508964 IP 192.168.0.10.49985 > 192.168.0.200.1935: Flags [S], seq 1849647427, win 8192, options [mss 1460,nop,nop,sackOK], length 0
18:14:48.751863 IP 192.168.0.10.49986 > 192.168.0.200.1935: Flags [S], seq 3102326921, win 8192, options [mss 1460,nop,nop,sackOK], length 0
As you see I get all traffic on second server interface but with destination IP of SERV A (192.168.0.200). And now I need to route this traffic to my service on port 1935. I try to add rule on SERV B:
iptables -t nat -A PREROUTING -p tcp --dport 1935 -d 192.168.0.200 -j DNAT --to-destination 192.168.0.201:1935
Also try to Redirect and Forward - but didn't make it work properly... No video on SERV B port 1935.
Could somebody point me to the right direction??As I mentioned earlier: I need to see video stream on both servers from port 1935. Publishing is only on SERV A, but video should be on both.Any suggestions will be pleased.Thank you.
I think it is impossible to do it this way.
It seems that you are using TEE for TCP traffic.
TCP is a stateful protocol (unlike UDP), it requires user end computer to be involved in every step of connection and it will not work with two separate clients trying to communicate with one server.
Some alternatives:
- Using UDP streaming instead (Of course, you'll have to change both server, client and iptable rule).
- Use some kind of TCP proxy which from one side accept the TCP video stream (or transparently intercept it) and from the other side open 2 (or more) different TCP sessions against multiple clients.Maybe this can help here:https://github.com/agnoster/duplicator
这篇关于如何在TEE之后处理镜像(重复)iptables流量?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!