Set up frp intranet penetration server

brief introduction

The purpose of NAT penetration is to enable packets with a specific source IP address and source port number to be correctly routed to the intranet host without being shielded by the NAT device. When the computer is in the LAN, the computer nodes of the outer network and the inner network need to connect the communication through the mapping port, so that the computers of the outer network can find the computers in the inner network
Network Address Translation The problem of translation (NAT) mechanism is that NAT devices automatically block the connections initiated by non intranet hosts. In other words, packets sent from the external network to the internal network will be discarded by Nat devices, which makes it impossible for hosts located behind different NAT devices to exchange information directly. Although this protects the Intranet hosts from attacks from the external network, it is also for P2P communication The letter brought some difficulties
operation mode
Port mapping, in fact, is often referred to as Network Address Translation (NAT) address translation. Its function is to translate the address in the public network into a private address. The ADSL broadband router with routing mode has a dynamic or fixed public IP, and ADSL is directly connected to HUB or switch. All computers share the Internet. Run to the intranet penetration client on any PC or server in the LAN. At this time, the IP address resolved by the domain name is the public IP address at the exit of the LAN gateway, and then map the port at the gateway to the monitoring equipment
There will be a mapping table on the NAT gateway, which records which IP and port the intranet requests from to the public network. Then if there is a host in the intranet who requests from the public network device and the request packet of the intranet host is transmitted to the NAT gateway, then the NAT gateway will modify the source IP address and source port of the packet to the IP address of the NAT gateway itself and any non conflicting IP address of the NAT gateway itself The port used, and record the change to the mapping table. Finally, the modified packet is sent to the target host of the request. After the target host sends back the response packet, the destination IP address and destination port in the response packet are mapped to find which intranet host to forward. In this way, when there is no public IP, the intranet host can access the public network devices through NAPT technology with the aid of a public IP of the router.

preparation in advance

Prepare three Centos7 virtual machines, configure IP address and hostname, turn off firewall and selinux, synchronize system time, configure IP address and hostname mapping

hostname ip
server 192.168.29.143
client1 192.168.29.144
client2 192.168.29.142

Server as the frp server (the server with public IP address should be used in the actual production environment), client1 and client2 as the frp client (the background server providing various services for the local area network in the production environment)

Download the frp package
Download address: https://github.com/fatedier/frp/releases

server side deployment frp

Upload the compressed package and decompress it

[root@server ~]# tar -zxvf frp_0.33.0_linux_amd64.tar.gz -C /usr/local/frp

Configure the frp profile
Provide intranet penetration service for client1

[root@server ~]# vi /usr/local/frp/frps.ini 
[common]
#Binding the port that provides the frp service
bind_port = 7000
#Bind the native port that provides the background Server http service
vhost_http_port= 8080

Provide intranet penetration service for client2

[root@server ~]# vi /usr/local/frp/frps_1.ini 
[common]
#Binding the port that provides the frp service
bind_port = 7100
#Bind the native port that provides the background Server http service
vhost_http_port= 8088
#Start the intranet penetration service of client1
[root@server ~]# nohup /usr/local/frp/frps -c /usr/local/frp/frps.ini >/dev/null  2>&1
#View service startup
[root@server ~]# netstat -tnlp |grep 7000
tcp6       0      0 :::7000                 :::*                    LISTEN      2664/./frps   

#Start the intranet penetration service of client2
[root@server ~]# nohup /usr/local/frp/frps -c /usr/local/frp/frps_1.ini >/dev/null  2>&1
#View service startup
[root@server ~]#netstat -tnlp |grep 7100
tcp6       0      0 :::7100                 :::*                    LISTEN      2678/./frps      

client1 deploying frp

Upload the compressed package and decompress it

[root@client1 ~]# tar -zxvf frp_0.33.0_linux_amd64.tar.gz -C /usr/local/frp

Configure the frp profile

[root@client1 ~]# vi /usr/local/frp/frpc.ini 
[common]
#Fill in the IP address of the server side of the frp service
server_addr = 192.168.29.143
#Fill in the server slogan of frp service
server_port = 7000
#Configure ssh service
[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
#Fill in the port where frp connects to the local ssh
remote_port = 6000
#Configure web Services
[web]
type= http
#Fill in the local web service port
local_port= 80
#Custom domain name
custom_domains= www.yourdomain1.com

#Start service
[root@client1 ~]# /usr/local/frp/frpc -c /usr/local/frp/frpc.ini 
#Startup results
[control.go:179] [da1b4bbca0c62ea8] [ssh] start proxy success
[control.go:179] [da1b4bbca0c62ea8] [web] start proxy success

Client 2 deploy frp

Upload the compressed package and decompress it

[root@client2 ~]# tar -zxvf frp_0.33.0_linux_amd64.tar.gz -C /usr/local/frp

Configure the frp profile

[root@client2 ~]# vi /usr/local/frp/frpc.ini 
[common]
#Fill in the IP address of the server side of the frp service
server_addr = 192.168.29.143
#Fill in the server slogan of frp service
server_port = 7100
#Configure ssh service
[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
#Fill in the port where frp connects to the local ssh
remote_port = 6100
#Configure web Services
[web]
type= http
#Fill in the local web service port
local_port= 80
#Custom domain name
custom_domains= www.yourdomain1.com

#Start service
[root@client2 ~]# /usr/local/frp/frpc -c /usr/local/frp/frpc.ini 
#Start up
[control.go:179] [5689a7618b620415] [ssh] start proxy success
[control.go:179] [5689a7618b620415] [web] start proxy success

After client1 and client2 start the service, check the monitoring status of ssh service on the server side

[root@server ~]# netstat -tnlp |grep 6000
tcp6       0      0 :::6000                 :::*                    LISTEN      2664/./frps         
[root@server ~]# netstat -tnlp |grep 6100
tcp6       0      0 :::6100                 :::*                    LISTEN      2678/./frps         

Test and verify ssh service

The host tries to ssh client1 and client2 through the server

#Connect client1
>ssh -oPort=6000 root@192.168.29.143
[root@client1 ~]# ip a
    inet 192.168.29.144/24 brd 192.168.29.255 scope global noprefixroute ens33

#Connect client2
>ssh -oPort=6100 root@192.168.29.143
[root@client2 ~]# ip a
    inet 192.168.29.142/24 brd 192.168.29.255 scope global noprefixroute ens33

Test and verify web Services

Edit the hosts file of the host for domain name resolution

192.168.29.143	www.yourdomain1.com

Test client1
Browser access http://www.yourdomain1.com:8080

Test client2
Browser access http://www.yourdomain1.com:8088

Tags: network ssh firewall SELinux

Posted on Tue, 09 Jun 2020 04:41:38 -0400 by richcrack