brief introduction
The purpose of NAT penetration is to enable packets with a specific source IP address and source port number to be correctly routed to the intranet host without being shielded by the NAT device. When the computer is in the LAN, the computer nodes of the outer network and the inner network need to connect the communication through the mapping port, so that the computers of the outer network can find the computers in the inner network
Network Address Translation The problem of translation (NAT) mechanism is that NAT devices automatically block the connections initiated by non intranet hosts. In other words, packets sent from the external network to the internal network will be discarded by Nat devices, which makes it impossible for hosts located behind different NAT devices to exchange information directly. Although this protects the Intranet hosts from external networks, it is also a P2P communication belt It's going to be difficult
operation mode
Port mapping, in fact, is often referred to as Network Address Translation (NAT) address translation. Its function is to translate the address in the public network into a private address. The ADSL broadband router with routing mode has a dynamic or fixed public IP. ADSL is directly connected to HUB or switch, and all computers share the Internet. Run to the intranet penetration client on any PC or server in the LAN. At this time, the IP address resolved by the domain name is the public IP address at the exit of the LAN gateway, and then map the port at the gateway to the monitoring equipment
There will be a mapping table on the NAT gateway, which records which IP and port the intranet requests from to the public network. Then if there is a host in the intranet who requests from the public network device and the request packet of the intranet host is transmitted to the NAT gateway, the NAT gateway will modify the source IP address and source port of the packet to the IP address of the NAT gateway itself and any non conflicting IP address of the NAT gateway itself The port used, and record the change to the mapping table. Finally, the modified packet is sent to the target host of the request. After the target host sends back the response packet, the destination IP address and destination port in the response packet are mapped to find which intranet host to forward. In this way, when there is no public IP, the intranet host can access the public network devices through NAPT technology with the aid of a public IP of the router.
preparation in advance
Prepare three Centos7 virtual machines, configure IP address and hostname, turn off firewall and selinux, synchronize system time, configure IP address and hostname mapping
hostname ip server 192.168.29.143 client1 192.168.29.144 client2 192.168.29.142Server as the frp server (the server with public IP address should be used in the actual production environment), client1 and client2 as the frp client (the background server providing various services for the local area network in the production environment)
server side deployment frp
Upload the compressed package and decompress it
[root@server ~]# tar -zxvf frp_0.33.0_linux_amd64.tar.gz -C /usr/local/frp
Configure the frp profile
Provide intranet penetration service for client1
[root@server ~]# vi /usr/local/frp/frps.ini [common] #Binding the port that provides the frp service bind_port = 7000 #Bind the native port that provides the background Server http service vhost_http_port= 8080
Provide intranet penetration service for client2
[root@server ~]# vi /usr/local/frp/frps_1.ini [common] #Binding the port that provides the frp service bind_port = 7100 #Bind the native port that provides the background Server http service vhost_http_port= 8088
#Start the intranet penetration service of client1 [root@server ~]# nohup /usr/local/frp/frps -c /usr/local/frp/frps.ini >/dev/null 2>&1 #View service startup [root@server ~]# netstat -tnlp |grep 7000 tcp6 0 0 :::7000 :::* LISTEN 2664/./frps #Start the intranet penetration service of client2 [root@server ~]# nohup /usr/local/frp/frps -c /usr/local/frp/frps_1.ini >/dev/null 2>&1 #View service startup [root@server ~]#netstat -tnlp |grep 7100 tcp6 0 0 :::7100 :::* LISTEN 2678/./frps
Client 1 deploy frp
Upload the compressed package and decompress it
[root@client1 ~]# tar -zxvf frp_0.33.0_linux_amd64.tar.gz -C /usr/local/frp
Configure frp profile
[root@client1 ~]# vi /usr/local/frp/frpc.ini [common] #Fill in the IP address of the server side of the frp service server_addr = 192.168.29.143 #Fill in the server slogan of frp service server_port = 7000 #Configure ssh service [ssh] type = tcp local_ip = 127.0.0.1 local_port = 22 #Fill in the port where frp connects to the local ssh remote_port = 6000 #Configure web Services [web] type= http #Fill in the local web service port local_port= 80 #Custom domain name custom_domains= www.yourdomain1.com #Start service [root@client1 ~]# /usr/local/frp/frpc -c /usr/local/frp/frpc.ini #Startup results [control.go:179] [da1b4bbca0c62ea8] [ssh] start proxy success [control.go:179] [da1b4bbca0c62ea8] [web] start proxy success
Client 2 deploy frp
Upload the compressed package and decompress it
[root@client2 ~]# tar -zxvf frp_0.33.0_linux_amd64.tar.gz -C /usr/local/frp
Configure the frp profile
[root@client2 ~]# vi /usr/local/frp/frpc.ini [common] #Fill in the IP address of the server side of the frp service server_addr = 192.168.29.143 #Fill in the server slogan of frp service server_port = 7100 #Configure ssh service [ssh] type = tcp local_ip = 127.0.0.1 local_port = 22 #Fill in the port where frp connects to the local ssh remote_port = 6100 #Configure web Services [web] type= http #Fill in the local web service port local_port= 80 #Custom domain name custom_domains= www.yourdomain1.com #Start service [root@client2 ~]# /usr/local/frp/frpc -c /usr/local/frp/frpc.ini #Start up [control.go:179] [5689a7618b620415] [ssh] start proxy success [control.go:179] [5689a7618b620415] [web] start proxy success
After client1 and client2 start the service, check the monitoring status of ssh service on the server side
[root@server ~]# netstat -tnlp |grep 6000 tcp6 0 0 :::6000 :::* LISTEN 2664/./frps [root@server ~]# netstat -tnlp |grep 6100 tcp6 0 0 :::6100 :::* LISTEN 2678/./frps
Test and verify ssh service
The host tries to ssh client1 and client2 through the server
#Connect client1 >ssh -oPort=6000 [email protected] [root@client1 ~]# ip a inet 192.168.29.144/24 brd 192.168.29.255 scope global noprefixroute ens33 #Connect client2 >ssh -oPort=6100 [email protected] [root@client2 ~]# ip a inet 192.168.29.142/24 brd 192.168.29.255 scope global noprefixroute ens33
Test and verify web Services
Edit the hosts file of the host for domain name resolution
192.168.29.143 www.yourdomain1.com
Test client1
Browser access http://www.yourdomain1.com:8080
Test client2
Browser access http://www.yourdomain1.com:8088