Tuesday, October 12, 2010

Comparison of six agent approach


Traditional proxy, transparent proxy, plug-gw, Apache reverse proxy, IP masquerading, port forwarding comparison of six methods

The first part features a variety of proxy and packet rewriting the way the process

Squid proxy and transparent proxy tradition:

In Linux, the most widely used traditional proxy and transparent proxy is Squid. Default Squid configuration into the traditional agency approach. In this way, windows in the browser client to set the proxy server address and port number, the client actually very little work to be done. Only need to specify the proxy server IP address and port number can be, the other left to do all that to the proxy server. In this way a striking feature is the windows client browsing the Web, when entering a URL, DNS is also done by the proxy server. DNS resolution process is based on Linux server set up / etc / host.conf file parsing order of.
General of the order is to first find the / etc / hosts, then looking for DNS database bind. In this case, the interesting example is that if you set up a site for your internal network domain in a server, you first go to access the internal network server. If you set 192.168.11.3 www.yahoo.com then your browser can not access the internet to a yahoo site.
However, if you set the transparent proxy, then the resolution of the DNS and then the order will become windowshosts Linux, DNS database. No longer possible to check the Linux server / etc / hosts file.
Introduction of transparent proxy, see the article meets in another article "How to set the transparent proxy in Linux"

Traditional proxy and transparent proxy package rewriting process: see below

[PC] A [Linux squid server] B
__192.168.11.12_ |_____ 192.168.11.5__ | ___1.2.3.4_________Internet

A machine in the user's browser to set the proxy to 192.168.11.5, port number is 3128, through the B line.
If the access www.linuxforum.net, in fact if you set a proxy if the client browser only and Linux Squid server and the Internet to communicate and never talk on the www.linuxforum.net server, first of all by the squid proxy server
www.linuxforum.net parse (find / etc / host.conf in the resolution order, first / etc / hosts then DNS lookup)
For the IP address 202.106.124.185, the last by the proxy server instead of client IP address of the HTTP access, restore the information back to the squid cache in the first cache, and a copy to the client. Next time if the user or other users to access the same page, you can call from the squid cache to save time.
Transparent proxy process and the traditional agency similar to the difference between
1. DNS resolution process is different, as already mentioned
2. Transparent proxy gateway must be set to squid proxy server IP address, but the traditional agents do not need.
3. Transparent proxy need to set fire chain of input rules, and the rest of squid the same way as traditional agents.

plug-gw:
plug-gw is brought FWTK in general agent. Available to agents such as POP3, HTTP and other application layer services.

[PC] A [Linux POP3] C [Linux plug-gw] B
__192.168.11.12_ |______| 192.168.11.1____192.168.11.5__ | ___1.2.3.4__Internet

If there is a segment within the Linux POP3 server C (192.168.11.1), want external users to receive e-mail can be set in the machine B, the POP3 proxy plug-gw as follows:

Put the following line to / etc / rc.d / rc.local
/ Usr / local / etc / plug-gw-daemon 1.2.3.4:110-name plug-gw-pop3 & file / usr / local / etc / netperm-table has the following line
plug-gw-pop3: port 110 backup bin bin_old conf config crawler.tar.gz crawler_bin.tar.gz data eshow eshow_sitemap.html generate.sh google.html google.html.md5 log maint news: 10 news: 11 news: 12 news: 13 news: 14 news: 15 news: 16 news: 17 news: 18 news: 2 news: 3 news: 4 news: 5 news: 6 news: 7 news: 8 news: 9 outboundLinksMgr.sql seeds sitemap.html svn tasks tmp xml2dict-2008.6-tar.gz xml2dict-read-only-plug-to 192.168.11.1-port 110

The user to set the POP3 server outlook express address of 1.2.3.4. When the received message, the external interface of the B machine, the port 110 in 1.2.3.4 to accept user requests, subsequently plug-gw treatment, in-house segment, from 192.168.11.5 192.168.11.1 110 port on request. To the data collected by the 1.2.3.4 interface, copy to external users.

Apache reverse proxy.
Packet rewriting process and similar plug-gw

Note: The above stated three cases, the request process is in two separate in the middle usually squid proxy server or plug-gw, Apache server, data server, two network cards in the middle of the action to do copies, but the process of the two requests The source address is randomly assigned to high-end addresses are different. In 1024 and 65535. But in general, TCP / IP address assigned most of the random-end 1024 - 5000 allocation. For example: For the plug-gw is:
If an external dial-up user's IP address is 5.6.7.8. If the address and port as follows:
Source address and port number and destination address and port are:
5.6.7.8 1038 1.2.3.4 110
Request to be plug-gw rewritten as:
192.168.11.5 1045 192.168.11.1 110

Reply by 192.168.11.1 data is copied to the external customers.

But not all cases, the address of the source are randomly assigned to high-end 1024 - 5000. IP masquerading is the exception:

IP masquerading:

[PC] A [Linux MASQ server] B
__192.168.11.12_ |_____ 192.168.11.5__ | ___1.2.3.4_________Internet

Shown above, PC A through B camouflage Internet. To access www.linuxforum.net, when the package is disguised rewrite process is as follows:

Source address / port number and destination address / port number:
192.168.11.12 1047 202.106.124.185 80
Disguised the source after the address and port number and destination address / port number:
1.2.3.4 62334 202.106.124.185 80

Anti-back package for the
202.106.124.185 80 - 1.2.3.4 62334
Longer be re-written to PC A as:
202.106.124.185 80 - 192.168.11.12 1047

In general, IP source address is usually disguised> 60000, and in the 61000 - 64999 between.
The firewall maintains an IP masquerading comparison table. With the command / sbin / ipchains-M-L-n can be seen as:
[Root @ proxy etc] # / sbin / ipchains-M-L-n
IP masquerading entries
prot expire source destination ports
UDP 02:18.86 192.168.11.12 205.188.179.41 1215 (62615) -> 4000
TCP 17:03.20 192.168.11.12 205.188.248.57 1049 (62584) -> 80

Column from the ports you can control the source address of the match twice.

Port forwarding (port forwarding):
See the article meets in another article, "Using port forwarding to internal network to provide network services of external"

The second part of the way the various agents and the advantages and disadvantages of the application

The role of the various proxy methods:
1. IP masquerading, Squid proxy and transparent proxy for the traditional make no real IP address of LAN users to access Internet.
2. Apache reverse proxy, plug-gw general proxy, port forwarding for external users to access the LAN without real IP address of the server.

Advantages and disadvantages of various proxy methods:
1. Squid has the advantage of client requirements Henshao, as long as Liantong squid server. But the need for each machine are set to the proxy server IP address and port number
2. Squid transparent proxy does not need the advantages of each client are set proxy address and port and simplify client configuration. But the need for each client's default gateway are set to squid proxy server, and require the client to do DNS resolution
3. IP masquerading may be suitable for most application-layer services, unlike the squid only supports http and ftp. But customers also need to set the default gateway address of the firewall. And do not like squid with cache functionality
4. Plug-gw proxy the servers can be as HTTP, POP3, etc.. But the Apache reverse proxy can only reverse proxy http requests
5. Port forwarding for most services. Nothing to do with the specific application. And fast implementation in the kernel IP layer, application layer without requiring special services running. But may need to recompile the kernel.





Recommended links:



TS to MPG



Second-hand computers Xi'an China Merchants Plaza, more than 60 illegal businesses operating wit



Games Simulation Guide



About Distributed IDS



fastest Convert mov to iphone 3g/3gs



Guide LAUNCHERS And Task Managers



Auto auto parts order will be the first commercial capital of China held in SHIYAN



ICP license issue processing



MKV to FLV



Of "active Growth" Landing



Report Timers And Time Synch



"Rise" Magician / Swordsman Bred Guide



The right to use DAO or ADO to access Access 2000



Photoshop Production - wire and spark



How to motivate staff teams



RMVB to MP4



No comments:

Post a Comment