请推荐一个开源，适合学习的，网站（比如论坛网站，卖东西的网(转载) - 未名空间MITBBS历史存档

国际科技财经博客移民网络热点娱乐民生时事公众号

Redian新闻

>未名空间

>Programming - 葵花宝典

请推荐一个开源，适合学习的，网站（比如论坛网站，卖东西的网(转载)

请推荐一个开源，适合学习的，网站（比如论坛网站，卖东西的网(转载)# Programming - 葵花宝典

n*n2013-08-27 07:08

1 楼

一种感觉。大家拭目以待。

c*n2013-08-27 07:08

2 楼

I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
the 22 port of my local box instead,
I tried the following but it doesn't work
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
DNAT --to-destination 127.0.0.0
sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
to-source $EXTERNAL_BOX_IP
any ideas?
Thanks a lot

i*s2013-08-27 07:08

3 楼

【以下文字转载自 BuildingWeb 讨论区】
发信人: interns (ruby), 信区: BuildingWeb
标题: 请推荐一个开源，适合学习的，网站（比如论坛网站，卖东西的网站）项目
发信站: BBS 未名空间站 (Tue Aug 27 16:31:11 2013, 美东)
请推荐一个开源，适合学习的，网站（比如论坛网站，卖东西的网站）项目
想跟着学习。
觉得找到合适的开源项目，是学习IT的最佳捷径。

w*o2013-08-27 07:08

4 楼

$7.00的万科捞到了吗？
不过A股很烦的是又没有Stop order,
又没有Good Till Cancel order

【在 n******n 的大作中提到】

: 一种感觉。大家拭目以待。

c*n2013-08-27 07:08

5 楼

figured out, need one more line
sudo iptables -t nat -A POSTROUTING -d 127.0.0.0 -p tcp --dport 22 -j
SNAT --to-source 127.0.0.0

to

【在 c******n 的大作中提到】

: I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
: the 22 port of my local box instead,
: I tried the following but it doesn't work
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
: DNAT --to-destination 127.0.0.0
: sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
: to-source $EXTERNAL_BOX_IP
: any ideas?
: Thanks a lot

n*n2013-08-27 07:08

6 楼

没。电梯打开太晚了。

【在 w*******o 的大作中提到】

: $7.00的万科捞到了吗？
: 不过A股很烦的是又没有Stop order,
: 又没有Good Till Cancel order

c*n2013-08-27 07:08

7 楼

actually it didn't work

【在 c******n 的大作中提到】

: figured out, need one more line
: sudo iptables -t nat -A POSTROUTING -d 127.0.0.0 -p tcp --dport 22 -j
: SNAT --to-source 127.0.0.0
:
: to

n*n2013-08-27 07:08

8 楼

0.738/0.739买入沪深300ETF各120手。

【在 n******n 的大作中提到】

: 没。电梯打开太晚了。

j*a2013-08-27 07:08

9 楼

read this bible:
http://www.frozentux.net/documents/iptables-tutorial/

to

【在 c******n 的大作中提到】

B*M2013-08-27 07:08

10 楼

没有stop是很烦。最近几天好几次睡觉前还大红，醒来变大绿。要是能设stop，起码还
能止赢一下。

z*r2013-08-27 07:08

11 楼

it should be
sudo iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_BOX_IP --dport 22 -j
DNAT --to-destionation 127.0.0.1

to

【在 c******n 的大作中提到】

l*u2013-08-27 07:08

12 楼

你是试图做FORWARDING？

to

【在 c******n 的大作中提到】

c*n2013-08-27 07:08

13 楼

i don't think so, PREROUTING is for incoming messages,
here the messages are generated by my local process ( ssh client )
I got it working in another post.
but here it is
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
DNAT --to-destination 127.0.0.1
sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE

j

【在 z**r 的大作中提到】

: it should be
: sudo iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_BOX_IP --dport 22 -j
: DNAT --to-destionation 127.0.0.1
:
: to

c*n2013-08-27 07:08

14 楼

but here's what I dont' understand:
I checked the packets in wireshark.
the first packet sent out by client is REAL_IP_OF_CLIENT_BOX to 127.0.0.1
I thought according to the tutorial http://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg
after DNAT changes the dest IP, it goes through another routing decision, so
at this step it should be set to the lo interface, so MASQUERADE should set
its source to be 127.0.0.1 ???
also wireshark shows that the return ip is $EXTERNAL_BOX_IP to REAL_IP_OF_
CLIENT_BOX, this is fine. but how is my application able to receive this
packet in its TCP connection? my sshd is listening on localhost only, but
the packet is addressed to REAL_IP_OF_CLIENT_BOX
my ssh client opens a TCP connection to $EXTERNAL_BOX_IP, so the tcp
connection expects to

-j

【在 c******n 的大作中提到】

: i don't think so, PREROUTING is for incoming messages,
: here the messages are generated by my local process ( ssh client )
: I got it working in another post.
: but here it is
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
: DNAT --to-destination 127.0.0.1
: sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
:
: j

l*u2013-08-27 07:08

15 楼

不管你想做什么，只要有那个127.0.0.1就不应该OK。

so
set
PORT

【在 c******n 的大作中提到】

: but here's what I dont' understand:
: I checked the packets in wireshark.
: the first packet sent out by client is REAL_IP_OF_CLIENT_BOX to 127.0.0.1
: I thought according to the tutorial http://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg
: after DNAT changes the dest IP, it goes through another routing decision, so
: at this step it should be set to the lo interface, so MASQUERADE should set
: its source to be 127.0.0.1 ???
: also wireshark shows that the return ip is $EXTERNAL_BOX_IP to REAL_IP_OF_
: CLIENT_BOX, this is fine. but how is my application able to receive this
: packet in its TCP connection? my sshd is listening on localhost only, but

c*n2013-08-27 07:08

16 楼

you are wrong : "就不应该OK"
It actually worked, I just don't understand how it worked

【在 l*****u 的大作中提到】

: 不管你想做什么，只要有那个127.0.0.1就不应该OK。
:
: so
: set
: PORT

l*u2013-08-27 07:08

17 楼

你这个SCRIPT在哪里运行？
1. 在127.0.0.1上？那怎么可能抓到EXT_IP上的包？
2. 在EXT_IP上？那么那个127.0.0.1指的是EXT_IP. 鬼才知道是转到那个UNIT的。
这些是基础的网络知识。至于你说WORK了，基本上别的巧合。

【在 c******n 的大作中提到】

: you are wrong : "就不应该OK"
: It actually worked, I just don't understand how it worked

j*a2013-08-27 07:08

18 楼

兄弟，你还是用中文写吧
那个tutorial你看懂了一点但是和ssh tunnel混淆了
你这里面只需要用到NAT OUTPUT，不需要NAT POSTROUTING

so
set

【在 c******n 的大作中提到】

z*r2013-08-27 07:08

19 楼

老大，您把问题能一次说清楚吗？

-j

【在 c******n 的大作中提到】

c*n2013-08-27 07:08

20 楼

just run this on your linux box,
################################
# following is yahoo.com address
EXTERNAL_BOX_IP=67.195.160.76
PORT=10000
sudo iptables -t nat -F
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
DNAT --to-destination 127.0.0.1
sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
###############################
then do nc -l 10000
as a fake server
then do nc 67.195.160.76 10000
and type a bunch of characters
you will see that the listener nc did get the characters you typed at the nc
client
so it worked, but I don't see why

【在 l*****u 的大作中提到】

: 你这个SCRIPT在哪里运行？
: 1. 在127.0.0.1上？那怎么可能抓到EXT_IP上的包？
: 2. 在EXT_IP上？那么那个127.0.0.1指的是EXT_IP. 鬼才知道是转到那个UNIT的。
: 这些是基础的网络知识。至于你说WORK了，基本上别的巧合。

c*n2013-08-27 07:08

21 楼

民工, please just look at my last post,
that complete script is easier than explaining the problem

【在 z**r 的大作中提到】

: 老大，您把问题能一次说清楚吗？
:
: -j

l*u2013-08-27 07:08

22 楼

貌似明白一点了，是说把从localhost 127.0.0.1上对EXT_IP port 22的包全部转发回
localhost 127.0.0.1 port 22? 貌似很easy呀。如果是hijack局域网内所有机子对EXT
_IP port22的包都发回某一个机子的port22, 你这个script就没有用, 除非局域网所有
的包都从你这个机子这儿过。

-j
nc

【在 c******n 的大作中提到】

: just run this on your linux box,
: ################################
: # following is yahoo.com address
: EXTERNAL_BOX_IP=67.195.160.76
: PORT=10000
: sudo iptables -t nat -F
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
: DNAT --to-destination 127.0.0.1
: sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
: ###############################

c*n2013-08-27 07:08

23 楼

yes, I only care about my tests on the local box.
the script is used in the context of JMX, please see my previous JMX post.
what I don't understand is basically how kernel is able to properly route
the response packet. it's probably easier to use a plain NAT example.
let's say my box is in a private network ,
my_box 192.168.1.2
||
||
\ /
\/
gateway_box 192.168.1.1 , public_ip : 111.222.333.888
||
||
\ /
\/
yahoo.com 111.222.333.444
on a regular NAT case, my_box sends to yahoo.com, the packet is routed to
gateway_box, gateway_box forwards it to yahoo.com, using the FORWARD chain.
gateway_box also applies MASQUERADE so that the source_ip of the packet
becomes the public ip of gateway.
from yahoo.com's view, it is really talking to the gateway_box, and sends a
response to 111.222.333.888.
my question is, when the gateway receives the response packet, how is it
able to figure out, to change the target ip (111.222.333.888) to which IP on
its internal network? it has to usesome sort of lookup tables, and the
only available key for that lookup table is the source port

EXT

【在 l*****u 的大作中提到】

: 貌似明白一点了，是说把从localhost 127.0.0.1上对EXT_IP port 22的包全部转发回
: localhost 127.0.0.1 port 22? 貌似很easy呀。如果是hijack局域网内所有机子对EXT
: _IP port22的包都发回某一个机子的port22, 你这个script就没有用, 除非局域网所有
: 的包都从你这个机子这儿过。
:
: -j
: nc

c*n2013-08-27 07:08

24 楼

looks my guess is right
http://en.wikipedia.org/wiki/Network_address_translation#NAT_an
"
To avoid ambiguity in the handling of returned packets, a one-to-many NAT
must alter higher level information such as TCP/UDP ports in outgoing
communications and must maintain a translation table so that return packets
can be correctly translated back. RFC 2663 uses the term NAPT (network
address and port translation) for this type of NAT. Other names include PAT
(port address translation), IP masquerading, NAT Overload and many-to-one
NAT. Since this is the most common type of NAT it is often referred to
simply as NAT.

【在 c******n 的大作中提到】

: yes, I only care about my tests on the local box.
: the script is used in the context of JMX, please see my previous JMX post.
: what I don't understand is basically how kernel is able to properly route
: the response packet. it's probably easier to use a plain NAT example.
: let's say my box is in a private network ,
: my_box 192.168.1.2
: ||
: ||
: \ /
: \/