因为nginx账号不能直接启动80端口,所以利用iptables做了80到8081端口的转发,这样外部应用可以直接访问80端口,然后通过iptables转发到真正的nginx服务的8081端口。
Iptables转发命令:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8081 |
外网的网页页面能打通,如下:
[tomcat@dev_121_21 ~]$ wget http://bright.test.com/PLATFORM_AUTH_Service/1.html --2016-11-22 12:43:01-- http://bright.test.com/PLATFORM_AUTH_Service/1.html 正在解析主机 bright.test.com... 192.168.121.21 正在连接 bright.test.com|192.168.121.21|:80... 已连接。 已发出 HTTP 请求,正在等待回应... 200 OK 长度:39 [text/html] 正在保存至: “1.html”
100%[=====================================================================================================================================================>] 39 --.-K/s in 0s
2016-11-22 12:43:01 (4.13 MB/s) - 已保存 “1.html” [39/39])
[tomcat@dev_121_21 ~]$ |
本地的service服务器打不通:
[tomcat@dev_121_21 ~]$ wget http://bright.test.com/PLATFORM_AUTH_Service/remoting/AuthenticationService --2016-11-22 12:29:17-- http://bright.test.com/PLATFORM_AUTH_Service/remoting/AuthenticationService 正在解析主机 bright.test.com... 192.168.121.21 正在连接 bright.test.com|192.168.121.21|:80... 失败:拒绝连接。 [tomcat@dev_121_21 ~]$ |
问题在哪里呢?直接telnet端口80试试
# telnet域名的80端口不通 [tomcat@dev_121_21 ~]$ telnet bright.test.com 80 Trying 192.168.121.21... telnet: connect to address 192.168.121.21: Connection refused [tomcat@dev_121_21 ~]$ # telnet 域名所在ip地址的80端口,也不通 [tomcat@dev_121_21 ~]$ telnet 192.168.121.21 80 Trying 192.168.121.21... telnet: connect to address 192.168.121.21: Connection refused [tomcat@dev_121_21 ~]$
# 因为80只是iptables转发的端口,不是真正nginx服务的端口,nginx服务的8081端口是有效的, [tomcat@dev_121_21 ~]$ telnet bright.test.com 8081 Trying 192.168.121.21... Connected to bright.test.com. Escape character is '^]'. Connection closed by foreign host. [tomcat@dev_121_21 ~]$ |
问题场景很明显了,就是本地本机telnet不通80端口,其它的外部过来的访问80端口都ok。
问题分析:
外网访问需要经过PREROUTING链,但是localhost以及192.168.121.21本机ip地址不经过该链,因此需要用OUTPUT。
设置output限制:
#在本机telnet也可以做转发到本机端口,不过限制了ip地址为localhost的域名访问 [root@dev_121_21 ~]#iptables -t nat -A OUTPUT -d 192.168.121.21 -p tcp --dport 80 -j REDIRECT --to-ports 8081
#不限制ip地址的访问 [root@dev_121_21 ~]#iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8081
PS:如果想外部内部都通过域名来走,而域名又绑定实际的ip地址的话,那么这里就需要采用第一种限制域名实际ip的方式来操作才能有效
# iptables永久生效,保存到系统配置中 [root@dev_121_21 ~]# service iptables save; iptables:将防火墙规则保存到 /etc/sysconfig/iptables: [确定] [root@dev_121_21 ~]# chkconfig --level 2345 iptables on; [root@dev_121_21 ~]# chkconfig --add iptables; [root@dev_121_21 ~]# service iptables restart iptables:清除防火墙规则: [确定] iptables:将链设置为政策 ACCEPT:nat [确定] iptables:正在卸载模块: [确定] iptables:应用防火墙规则: [确定] [root@dev_121_21 ~]#
|
再试下,本地就可以访问本地的service接口服务了:
[tomcat@dev_121_21 ~]$ wget http://bright.test.com/PLATFORM_AUTH_Service/remoting/AuthenticationService --2016-11-22 12:51:14-- http://bright.test.com/PLATFORM_AUTH_Service/remoting/AuthenticationService 正在解析主机 bright.test.com... 192.168.121.21 正在连接 bright.test.com|192.168.121.21|:80... 已连接。 已发出 HTTP 请求,正在等待回应... 405 Method Not Allowed 2016-11-22 12:51:14 错误 405:Method Not Allowed。
[tomcat@dev_121_21 ~]$ |
参考文章:http://blog.csdn.net/zzhongcy/article/details/42738285