CN116233237A - Transparent proxy network shutdown and working method thereof - Google Patents
Transparent proxy network shutdown and working method thereof Download PDFInfo
- Publication number
- CN116233237A CN116233237A CN202211594899.5A CN202211594899A CN116233237A CN 116233237 A CN116233237 A CN 116233237A CN 202211594899 A CN202211594899 A CN 202211594899A CN 116233237 A CN116233237 A CN 116233237A
- Authority
- CN
- China
- Prior art keywords
- message
- proxy
- server
- client
- port
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 230000008569 process Effects 0.000 claims abstract description 21
- 238000012550 audit Methods 0.000 claims abstract description 7
- 230000005540 biological transmission Effects 0.000 claims description 9
- 238000007726 management method Methods 0.000 claims description 9
- 238000013475 authorization Methods 0.000 claims description 8
- 238000012986 modification Methods 0.000 claims description 7
- 230000004048 modification Effects 0.000 claims description 7
- 238000012546 transfer Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 claims description 5
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 238000012790 confirmation Methods 0.000 claims description 4
- 238000001914 filtration Methods 0.000 claims description 4
- 238000012545 processing Methods 0.000 claims description 4
- 230000003993 interaction Effects 0.000 claims description 2
- 238000012423 maintenance Methods 0.000 description 20
- 238000001514 detection method Methods 0.000 description 3
- 102100033189 Diablo IAP-binding mitochondrial protein Human genes 0.000 description 2
- 101710101225 Diablo IAP-binding mitochondrial protein Proteins 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/547—Remote procedure calls [RPC]; Web services
- G06F9/548—Object oriented; Remote method invocation [RMI]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a transparent proxy network shutdown and a working method thereof.A proxy server and a proxy client are arranged on a virtual network bridge; hook function hook_prerouting is mounted at the kernel protocol stack checking point prerouting of the network bridge; the hook function hook_localout is mounted at the kernel protocol stack check point output of the network bridge; the hook function hook_pre-routing captures and processes the message from the actual client, the message is directed to the proxy server port, the message is sent to the proxy server after being replayed into the protocol stack, the proxy server receives the message and then carries out business audit on the message, the audited message is sent to the proxy client, the message sent by the proxy client is captured by the hook function hook_localout, the message is modified and directed to the actual server, and the message is sent to the actual server after being replayed into the protocol stack.
Description
Technical Field
The invention relates to the technical field of transparent proxy, in particular to a transparent proxy network shutdown and a working method thereof.
Background
The statements in this section merely relate to the background of the present disclosure and may not necessarily constitute prior art.
In the operation and maintenance work of an important information system, in order to control operation and maintenance actions, an operation and maintenance notebook computer is not allowed to be directly connected to the system, a mode of adding a jump board machine/network shutdown is adopted, a private client end or a modified third party tool is firstly used on the operation and maintenance notebook computer and is connected to the jump board machine through a private protocol, then the jump board machine is connected with an operation and maintenance object according to a specified protocol, the existence of the network shutdown is required to be known in the mode, only a custom tool is used, the operation and maintenance tools used by operation and maintenance personnel are greatly limited, proper tools such as xshell, moba, winscp, putty cannot be selected according to habits and requirements, even a plurality of protocols cannot be supported, and the operation and maintenance convenience and the operation and maintenance capability are greatly reduced.
Disclosure of Invention
In order to solve the defects in the prior art, the invention provides a transparent proxy network shutdown and a working method thereof; by adding a hook function to the kernel protocol stack to process protocol data packets, transparent agents of various network protocols and management and control of data messages are realized, and operation and maintenance personnel can use any tool to develop operation and maintenance work and have no sense of serial network shutdown.
In a first aspect, the present invention provides a transparent proxy network shutdown;
a transparent proxy network shutdown, comprising: a virtual bridge; the virtual network bridge is provided with a proxy server and a proxy client;
the method comprises the steps that hook function hook_prerouting is mounted at a kernel protocol stack checking point prerouting position of a network bridge;
at the kernel protocol stack check point output of the network bridge, a hook function hook_localout is mounted;
the hook function hook_pre-routing captures and processes a message from an actual client, the message is directed to an agent server port, the message is sent to the agent server after being replayed into a protocol stack, the agent server receives the message and then carries out service audit on the message, the message passing through the service audit is sent to the agent client, the message sent by the agent client is captured by the hook function hook_localout, the hook function hook_localout modifies the message to be directed to the actual server, and the message is sent to the actual server after being replayed into the protocol stack;
the hook function hook_pre-routing captures and processes a message from an actual server, the message is directed to an agent client port, the message is sent to the agent client after being replayed into a protocol stack, the agent client receives a service message and then transfers the service message to the agent server for sending, the message sent by the agent server is captured by the hook function hook_localout, the hook function hook_localout modifies the message to be directed to the actual client, and the message is sent to the actual client after being replayed into the protocol stack.
In a second aspect, the invention provides a working method of transparent proxy network shutdown;
a working method of a transparent proxy network shutdown comprises the following steps: a handshake process and a service message transmission process;
wherein the handshake process comprises: establishing connection between an actual client and a proxy server, and establishing connection between the proxy client and the actual server; the proxy server and the proxy client are both arranged on the virtual network bridge;
the service message transmission process comprises the following steps: the method comprises the steps that an actual client sends a message, a proxy server identifies a protocol used by the message, the proxy server analyzes the message based on the corresponding protocol, the proxy server judges whether the analyzed message contains a high-risk command, if the analyzed message contains the high-risk command, an alarm interface is output, if the high-risk command is authorized and confirmed, the content of the message is ferred to the proxy client, the message is sent to the actual server through the proxy client, the actual server executes the content of the message, the actual server reversely transmits an execution result to the proxy client, the proxy client is taken out and then handed over to the proxy server, and the proxy server transmits the execution result to the actual client; if the high-risk command does not pass the authorization confirmation, the parsed message is discarded and is not ferred to the proxy client and the actual server.
Compared with the prior art, the invention has the beneficial effects that:
the transparent proxy network shutdown is only required to be connected in series between the operation and maintenance notebook (client) and the operation and maintenance object (server), operation and maintenance personnel do not need to know the address of the network shutdown, do not need a specific tool, do not need to connect the network shutdown by using a tool, and can directly communicate with the operation and maintenance object by using any operation and maintenance tool.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention.
FIG. 1 is a schematic diagram of a topology of a first embodiment;
fig. 2 is a schematic diagram illustrating an internal configuration of a transparent network shutdown according to the first embodiment.
Detailed Description
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the invention. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of exemplary embodiments according to the present invention. As used herein, unless the context clearly indicates otherwise, the singular forms also are intended to include the plural forms, and furthermore, it is to be understood that the terms "comprises" and "comprising" and any variations thereof are intended to cover non-exclusive inclusions, such as, for example, processes, methods, systems, products or devices that comprise a series of steps or units, are not necessarily limited to those steps or units that are expressly listed, but may include other steps or units that are not expressly listed or inherent to such processes, methods, products or devices.
Embodiments of the invention and features of the embodiments may be combined with each other without conflict.
All data acquisition in the embodiment is legal application of the data on the basis of meeting laws and regulations and agreements of users.
The invention discloses a transparent proxy network shutdown and a working method thereof, which work in a version above Linux2.4, and the design principle of the technical scheme is as follows: firstly, constructing a hook function, wherein the hook function realizes functions of network data packet filtering, network address conversion, protocol type conversion and the like; secondly, setting detection points at a plurality of positions of a network data flow full life cycle of the network shutdown, and registering the hook function at the detection points to filter network access data and transparently proxy; and finally, packaging the hook function, and combining the detection points to form a transparent proxy network shutdown.
Example 1
The embodiment provides a transparent proxy network shutdown;
as shown in fig. 1 and 2, a transparent proxy network shutdown includes: a virtual bridge; the virtual network bridge is provided with a proxy server and a proxy client;
the method comprises the steps that hook function hook_prerouting is mounted at a kernel protocol stack checking point prerouting position of a network bridge;
at the kernel protocol stack check point output of the network bridge, a hook function hook_localout is mounted;
the hook function hook_pre-routing captures and processes a message from an actual client, the message is directed to an agent server port, the message is sent to the agent server after being replayed into a protocol stack, the agent server receives the message and then carries out service audit on the message, the message passing through the service audit is sent to the agent client, the message sent by the agent client is captured by the hook function hook_localout, the hook function hook_localout modifies the message to be directed to the actual server, and the message is sent to the actual server after being replayed into the protocol stack;
the hook function hook_pre-routing captures and processes a message from an actual server, the message is directed to an agent client port, the message is sent to the agent client after being replayed into a protocol stack, the agent client receives a service message and then transfers the service message to the agent server for sending, the message sent by the agent server is captured by the hook function hook_localout, the hook function hook_localout modifies the message to be directed to the actual client, and the message is sent to the actual client after being replayed into the protocol stack.
Further, the kernel protocol stack checking point PRE ROUTING refers to nf_inet_pre_routing hook point, and intercepts the received message before ROUTING, so as to filter or modify the message, such as modifying the address and port of the message.
The kernel protocol stack check point output refers to an nf_inet_local_out hook point, and intercepts a message generated by the machine before routing, so as to filter and modify the message, such as modifying the address and port of the message.
The hook function hook_prerouting is a hook function mounted at the prerouting position and is used for modifying the address and port of the message, and the modified message is forwarded to the local agent, so that the purposes of transparent agent and analysis and management and control of the service message are realized.
The hook function hook_localout is a hook function mounted at output and used for intercepting and modifying the address and port of a message and pointing to a real destination address and port.
Further, the proxy server port is configured to intercept and receive a connection sent by an actual client to the actual server, and a service packet subsequent to the connection.
Further, the proxy client port is a port srcport allocated randomly to each connection by a pointer, and is used for connecting and communicating between a proxy and an actual server.
Further, the proxy server uses the bridge address serverip and the proxy server port serverport to communicate with the actual client, reads the message sent by the actual client and performs service analysis, and decides whether to transfer the message to the proxy client according to whether the release requirement is met, so as to achieve the purpose of management and control.
Further, the proxy client uses the bridge address server and the proxy client port srcport to communicate with the actual server and forward the service interaction message.
Further, the bridge is allocated with a bridge address serverip, and a proxy server port of the bridge address serverip is intercepted to serve as a proxy server.
Further, the hook function hook_prerouting captures and processes a message from an actual client, and specifically includes: the hook function hook_prerouting modifies the source address of the communication message from the actual client into a virtual address vip, the source port into a virtual port vport, the destination address into a bridge address serverip, and the destination port into a proxy server port.
Further, the message sent by the proxy client is captured by a hook function hook_localout, the hook function hook_localout modifies the message to the actual server, and the message is sent to the actual server after being replayed into a protocol stack, which specifically comprises the following steps:
and sending the message to a virtual port vport of the virtual address vip through a proxy client port srcport, processing the sent message by a hook function hook-localout, changing a destination address ip into an address of an actual server, changing the destination port into a port of the actual server, writing the port into a protocol stack, and then routing the port to the actual server.
Further, the hook function hook_prerouting captures and processes a message from an actual server, and specifically includes:
hook function hook_prerouting modifies the source address of the communication message from the actual server to virtual address vip, the source port to vport, the destination address to bridge address server, and the destination port to proxy client port srcport.
Further, the message sent by the proxy server is captured by a hook function hook_localout, the hook function hook_localout modifies the message to point to the actual client, and the message is sent to the actual client after being replayed into a protocol stack, which specifically comprises:
and sending the message to a virtual port vport of the virtual address vip through a proxy server port, changing the destination address into the address of the actual client through a hook function hook-localout, changing the destination port into the port of the actual client, writing the port into a protocol stack, and then routing the port to the actual client.
In order to achieve the purpose of service message management and control, protocol agents, namely an agent server facing an actual client and an agent client facing the actual client, namely a message sent by the actual client to the actual server is forwarded to the agent server, the agent server extracts the service message and then analyzes the service message, decides (whether or not) the service message is forwarded to the agent client, and the agent client forwards the service message to the actual server.
In order to achieve transparent processing of proxy behavior, a message transmitted in a network cannot be imported into an ip address, a port and a mac address of a network shutdown, that is to say, a source mac address, a source ip, a source port, a destination mac address, a destination address ip and a destination port in a message sent by an actual client or a message returned by an actual server should be kept unchanged after the network shutdown is entered and the network shutdown is exited.
The management and control of the message occurs at the proxy server end, before the message is received and exchanged, the specific communication protocol, such as ftp, ssh, telnet, is automatically identified according to the initial message characteristics sent by various protocols, then the message is subjected to service analysis according to the protocol, and the transmitted content can be managed and controlled from the service level.
It is worth mentioning that the invention can passively work in the Linux kernel mode, and captures the data flow of the operation and maintenance client access network in real time in the Linux kernel mode, and timely performs data flow filtering and data transfer so as to realize a fast and effective transparent proxy between the operation and maintenance client and the operation and maintenance object. Compared with a data network data proxy system designed by adopting a standard application framework, the system and the method have the advantages of higher efficiency, more stable operation and more suitability for application scenes of an operation and maintenance system.
Example two
The embodiment provides a working method for shutting down a transparent proxy network;
a working method of a transparent proxy network shutdown comprises the following steps: a handshake process and a service message transmission process;
wherein the handshake process comprises: establishing connection between an actual client and a proxy server, and establishing connection between the proxy client and the actual server; the proxy server and the proxy client are both arranged on the virtual network bridge;
the service message transmission process comprises the following steps: the method comprises the steps that an actual client sends a message, a proxy server identifies a protocol used by the message, the proxy server analyzes the message based on the corresponding protocol, the proxy server judges whether the analyzed message contains a high-risk command, if the analyzed message contains the high-risk command, an alarm interface is output, if the high-risk command is authorized and confirmed, the content of the message is ferred to the proxy client, the message is sent to the actual server through the proxy client, the actual server executes the content of the message, the actual server reversely transmits an execution result to the proxy client, the proxy client is taken out and then handed over to the proxy server, and the proxy server transmits the execution result to the actual client; if the high-risk command does not pass the authorization confirmation, the parsed message is discarded and is not ferred to the proxy client and the actual server.
Further, the establishing connection between the actual client and the proxy server specifically includes:
the transparent proxy network is powered off to build a virtual network bridge, an IP address serverip is allocated, a proxy server port serverport is intercepted, and a hook function hook_prerouting and a hook function hook_localout are registered in a protocol stack;
the method comprises the steps that an actual client initiates connection to an actual server, and the actual client sends a first frame syn (smac, sip, sport, tmac, tip, tport) message of TCP protocol handshake;
wherein smac represents a client mac address, sip represents a client ip address, sport represents a client port, tmac represents a server mac address, tip represents a server ip address, and tport represents a server port;
the transparent proxy network is powered off to save the first frame syn message of the handshake and directly forwards the first frame syn message of the handshake to the actual server;
the actual server returns a handshake second frame syn+ack message to the actual client through the transparent proxy gateway;
the transparent proxy network shutdown confirms that connection can be established according to the second frame, a hook function hook_prerouting modifies a destination ip address tip of a handshake first frame into a bridge address serverip, modifies a destination port tport of the handshake first frame into a proxy service port serverport, modifies a source ip address sip into a virtual ip address vip, and modifies a source port sport into a virtual port vport;
the proxy server port receives a handshake first frame message syn, the proxy server port returns a handshake second frame to (vip, vport), a hook function hook_local captures messages sent to a virtual IP address vip and a virtual port vport by a bridge address serverip and the proxy server port serverport, a source address is changed into an actual server address tip, the source port is changed into an actual server port tport, a destination address is changed into an actual client address sip, the destination port is changed into an actual client port sport, and the messages are sent to an actual client after being continuously processed by a protocol stack;
the actual client replies a handshake third frame ack message to the actual server through the transparent proxy gateway;
the hook function hook_pre-routing of the transparent proxy gateway directs the source address and the destination address modification conversion of the client message to the proxy server, and the message is routed to the proxy server after reentering the protocol stack, so that the connection establishment between the actual client and the proxy server is completed.
Further, the establishing the connection between the proxy client and the actual server specifically includes:
the proxy client of the transparent proxy gateway initiates connection to the virtual address vip and the virtual port vport by using a network socket (binding bridge address server and random allocation port srcport);
the hook function hook_localout of the transparent proxy gateway captures syn messages sent to a virtual address vip and a virtual port vport, judges whether the messages are from the proxy client, if so, modifies the source address of the stored handshake second frame message into the virtual address vip, modifies the source port into the virtual port vport, modifies the destination address into a bridge address server, modifies the destination port into the proxy client port srcport, and returns the handshake second frame to the proxy client;
the proxy client replies a handshake third frame ack message to the virtual address vip and the virtual port vport;
the hook function hook_localout of the transparent proxy gateway captures a handshake third frame, the source address and the port are modified into a sip and a sport, the destination address and the port are modified into a tip and a tport, and the message is routed to an actual server;
and the actual server receives the handshake third frame, and thus, the proxy client and the actual server establish connection.
Further, the service message transmission process includes:
the actual client sends a message to the transparent proxy gateway;
the hook function prerouting of the transparent proxy gateway captures a service message, modifies a destination address into a serverport, and sends the message to the proxy server;
the proxy server side takes out the service message and matches the protocol used by the current message according to the feature codes of various protocols;
analyzing the message based on a protocol, analyzing and judging whether the analyzed content contains a high-risk command, and if the analyzed content does not contain the high-risk command, directly ferrying the message to the proxy client; if the high-risk instruction is included, an alarm interface is presented, whether the authorization passes is judged, and if the authorization passes, the message is ferred to the proxy client; if the authorization refuses, discarding the current message;
the proxy client repackages the received message and then sends the message to a virtual address and virtual port (vip, vport);
the hook function output of the transparent proxy gateway modifies the source address of a message from a bridge address and a proxy client port (server ip, srport) into a (sip, sport), modifies the destination address into a (tip, tport), and sends the message to an actual server;
the server receives the message, analyzes and executes the command in the message, and sends back the command result (sip, sport);
the hook function prerouting of the transparent proxy gateway captures a returned message, modifies the source address of the message into a virtual address and a virtual port (vip), changes the destination address into a bridge address and a proxy client port (srcport), and routes the message to the proxy client;
the proxy client ferry the returned service data to the proxy server, and the proxy server packages the returned service data and sends the packaged service data to the client;
and the client receives and displays the command execution result.
The handshake process is the key for establishing transparent connection, establishes the connection between the client and the proxy server, and the connection between the proxy client and the server, and is just the establishment of the two connections, and service data can be managed and ferred between the two connections.
The service message transmission process mainly realizes the identification of the protocol and the management and control of the service layer command.
The message sent from the client to the server is taken out by the proxy service through the connection between the client and the proxy service, the specific protocol is matched through the protocol feature code, such as ssh, telnet, ftp, and the like, the protocol is identified and then sent to the protocol processing module to analyze the service data, if the message contains high-risk commands, such as reboot, rm and other commands in ssh protocol, the interface alarms, the command is sent after authorization confirmation, if the command passes through authorization, the command is transmitted to the proxy client in a ferrying way, the command is transmitted to the server for execution through the connection between the proxy client and the server, the execution result is reversely transmitted and is transmitted to the client, if the command is refused in a ferrying way, the command is discarded and is not transmitted to the proxy client, and the command is not transmitted to the server, so that the management and control of the high-risk command is realized. In the transmission process of the service message, the client and the server can not perceive the existence of the gateway machine proxy, thereby achieving the effect of transparent proxy.
The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, but various modifications and variations can be made to the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A transparent proxy network shutdown, comprising: a virtual bridge; the virtual network bridge is provided with a proxy server and a proxy client;
the method comprises the steps that hook function hook_prerouting is mounted at a kernel protocol stack checking point prerouting position of a network bridge;
at the kernel protocol stack check point output of the network bridge, a hook function hook_localout is mounted;
the hook function hook_pre-routing captures and processes a message from an actual client, the message is directed to an agent server port, the message is sent to the agent server after being replayed into a protocol stack, the agent server receives the message and then carries out service audit on the message, the message passing through the service audit is sent to the agent client, the message sent by the agent client is captured by the hook function hook_localout, the hook function hook_localout modifies the message to be directed to the actual server, and the message is sent to the actual server after being replayed into the protocol stack;
the hook function hook_pre-routing captures and processes a message from an actual server, the message is directed to an agent client port, the message is sent to the agent client after being replayed into a protocol stack, the agent client receives a service message and then transfers the service message to the agent server for sending, the message sent by the agent server is captured by the hook function hook_localout, the hook function hook_localout modifies the message to be directed to the actual client, and the message is sent to the actual client after being replayed into the protocol stack.
2. The transparent proxy network shutdown of claim 1, wherein a kernel protocol stack checkpoint, i.e., nf_inet_pre_routing hook point, intercepts a received message before ROUTING, and implements filtering or modification of the message;
the kernel protocol stack check point output refers to an NF_INET_LOCAL_OUT hook point, and a message generated by the kernel protocol stack check point output is intercepted before routing, so that the filtering and modification of the message are realized, for example, the address and the port of the message can be modified;
hook function hook_prerouting is a hook function mounted at prerouting and used for modifying the address and port of a message, and the modified message is forwarded to a local agent to realize the purposes of transparent agent and analysis and management and control of service messages;
the hook function hook_localout is a hook function mounted at output and used for intercepting and modifying the address and port of a message and pointing to a real destination address and port.
3. The transparent proxy network shutdown of claim 1, wherein the proxy server port is configured to intercept and receive a connection sent by an actual client to an actual server, and a service message subsequent to the connection;
the proxy client port is used for connecting and communicating a proxy with an actual server side;
the proxy server uses the network bridge address server and the proxy server port to communicate with the actual client, reads the message sent by the actual client and carries out service analysis, and decides whether to transfer the message to the proxy client according to whether the release requirement is met, so as to achieve the aim of management and control;
the proxy client communicates with the actual server by using a network bridge address server and a proxy client port srcport, and forwards a service interaction message;
the network bridge is distributed with a network bridge address serverip, and a proxy server port of the network bridge address serverip is intercepted to serve as a proxy server.
4. The transparent proxy network shutdown of claim 1, wherein the hook_pre-routing captures and processes messages from actual clients, and specifically comprises: the hook function hook_prerouting modifies the source address of the communication message from the actual client into a virtual address vip, the source port into a virtual port vport, the destination address into a bridge address serverip, and the destination port into a proxy server port.
5. The transparent proxy network shutdown of claim 1, wherein the message sent by the proxy client is captured by a hook function hook_localout, the hook function hook_localout directs the message modification to an actual server, and the message is sent to the actual server after being replayed into a protocol stack, specifically comprising:
and sending the message to a virtual port vport of the virtual address vip through a proxy client port srcport, processing the sent message by a hook function hook-localout, changing a destination address ip into an address of an actual server, changing the destination port into a port of the actual server, writing the port into a protocol stack, and then routing the port to the actual server.
6. The transparent proxy network shutdown of claim 1, wherein the hook function hook_pre-routing captures and processes a message from an actual server, and specifically comprises:
hook function hook_prerouting modifies the source address of the communication message from the actual server to virtual address vip, the source port to vport, the destination address to bridge address server, and the destination port to proxy client port srcport.
7. The transparent proxy network shutdown of claim 1, wherein the message sent by the proxy server is captured by a hook function hook_localout, the hook function hook_localout modifies the message to point to the actual client, and the message is sent to the actual client after being replayed into a protocol stack, specifically comprising:
and sending the message to a virtual port vport of the virtual address vip through a proxy server port, changing the destination address into the address of the actual client through a hook function hook-localout, changing the destination port into the port of the actual client, writing the port into a protocol stack, and then routing the port to the actual client.
8. The working method of the transparent proxy network shutdown is characterized by comprising the following steps: a handshake process and a service message transmission process;
wherein the handshake process comprises: establishing connection between an actual client and a proxy server, and establishing connection between the proxy client and the actual server; the proxy server and the proxy client are both arranged on the virtual network bridge;
the service message transmission process comprises the following steps: the method comprises the steps that an actual client sends a message, a proxy server identifies a protocol used by the message, the proxy server analyzes the message based on the corresponding protocol, the proxy server judges whether the analyzed message contains a high-risk command, if the analyzed message contains the high-risk command, an alarm interface is output, if the high-risk command is authorized and confirmed, the content of the message is ferred to the proxy client, the message is sent to the actual server through the proxy client, the actual server executes the content of the message, the actual server reversely transmits an execution result to the proxy client, the proxy client is taken out and then handed over to the proxy server, and the proxy server transmits the execution result to the actual client; if the high-risk command does not pass the authorization confirmation, the parsed message is discarded and is not ferred to the proxy client and the actual server.
9. The method for operating a transparent proxy network shutdown as claimed in claim 8, wherein said establishing a connection between an actual client and a proxy server specifically comprises:
the transparent proxy network is powered off to build a virtual network bridge, an IP address serverip is allocated, a proxy server port serverport is intercepted, and a hook function hook_prerouting and a hook function hook_localout are registered in a protocol stack;
the actual client initiates connection to the actual server, and the actual client sends a first frame syn message of TCP protocol handshake;
the transparent proxy network is powered off to save the first frame syn message of the handshake and directly forwards the first frame syn message of the handshake to the actual server;
the actual server returns a handshake second frame syn+ack message to the actual client through the transparent proxy gateway;
the transparent proxy network shutdown confirms that connection can be established according to the second frame, a hook function hook_prerouting modifies a destination ip address tip of a handshake first frame into a bridge address serverip, modifies a destination port tport of the handshake first frame into a proxy service port serverport, modifies a source ip address sip into a virtual ip address vip, and modifies a source port sport into a virtual port vport;
the proxy server port receives a handshake first frame message syn, the proxy server port returns a handshake second frame to (vip, vport), a hook function hook_local captures messages sent to a virtual IP address vip and a virtual port vport by a bridge address serverip and the proxy server port serverport, a source address is changed into an actual server address tip, the source port is changed into an actual server port tport, a destination address is changed into an actual client address sip, the destination port is changed into an actual client port sport, and the messages are sent to an actual client after being continuously processed by a protocol stack;
the actual client replies a handshake third frame ack message to the actual server through the transparent proxy gateway;
the hook function hook_pre-routing of the transparent proxy gateway directs the source address and the destination address modification conversion of the client message to the proxy server, and the message is routed to the proxy server after reentering the protocol stack, so that the connection establishment between the actual client and the proxy server is completed.
10. The method for operating a transparent proxy network shutdown as claimed in claim 8, wherein said establishing a connection between the proxy client and the actual server specifically comprises:
the proxy client of the transparent proxy gateway initiates connection to a virtual address vip and a virtual port vport by using a network socket;
the hook function hook_localout of the transparent proxy gateway captures syn messages sent to a virtual address vip and a virtual port vport, judges whether the messages are from the proxy client, if so, modifies the source address of the stored handshake second frame message into the virtual address vip, modifies the source port into the virtual port vport, modifies the destination address into a bridge address server, modifies the destination port into the proxy client port srcport, and returns the handshake second frame to the proxy client;
the proxy client replies a handshake third frame ack message to the virtual address vip and the virtual port vport;
the hook function hook_localout of the transparent proxy gateway captures a handshake third frame, modifies a source address and a port into a sip and a sport, modifies a destination address and a port into a tip and a tport, and routes a message to an actual server;
and the actual server receives the handshake third frame, and thus, the proxy client and the actual server establish connection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211594899.5A CN116233237B (en) | 2022-12-13 | 2022-12-13 | Transparent proxy network shutdown and working method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211594899.5A CN116233237B (en) | 2022-12-13 | 2022-12-13 | Transparent proxy network shutdown and working method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116233237A true CN116233237A (en) | 2023-06-06 |
| CN116233237B CN116233237B (en) | 2024-01-26 |
Family
ID=86590007
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211594899.5A Active CN116233237B (en) | 2022-12-13 | 2022-12-13 | Transparent proxy network shutdown and working method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116233237B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102447708A (en) * | 2012-01-14 | 2012-05-09 | 杭州安恒信息技术有限公司 | Communication implementation method based on application-layer transparent proxy technology |
| CN103491065A (en) * | 2012-06-14 | 2014-01-01 | 中兴通讯股份有限公司 | Transparent proxy and transparent proxy realization method |
| CN109547452A (en) * | 2018-11-30 | 2019-03-29 | 四川安迪科技实业有限公司 | The method and system of TCP Transparent Proxy are realized on Linux bridge equipment |
| CN110830434A (en) * | 2019-08-27 | 2020-02-21 | 杭州美创科技有限公司 | Universal transparent proxy method |
| US10887282B1 (en) * | 2018-10-19 | 2021-01-05 | Juniper Networks, Inc. | Determining synchronization of filter rules (e.g., on iptable filter tables on Linux kernal) across firewall filter application restarts |
| CN112671869A (en) * | 2020-12-15 | 2021-04-16 | 北京天融信网络安全技术有限公司 | Network bridge transparent proxy method, device, electronic equipment and storage medium |
-
2022
- 2022-12-13 CN CN202211594899.5A patent/CN116233237B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102447708A (en) * | 2012-01-14 | 2012-05-09 | 杭州安恒信息技术有限公司 | Communication implementation method based on application-layer transparent proxy technology |
| CN103491065A (en) * | 2012-06-14 | 2014-01-01 | 中兴通讯股份有限公司 | Transparent proxy and transparent proxy realization method |
| US10887282B1 (en) * | 2018-10-19 | 2021-01-05 | Juniper Networks, Inc. | Determining synchronization of filter rules (e.g., on iptable filter tables on Linux kernal) across firewall filter application restarts |
| CN109547452A (en) * | 2018-11-30 | 2019-03-29 | 四川安迪科技实业有限公司 | The method and system of TCP Transparent Proxy are realized on Linux bridge equipment |
| CN110830434A (en) * | 2019-08-27 | 2020-02-21 | 杭州美创科技有限公司 | Universal transparent proxy method |
| CN112671869A (en) * | 2020-12-15 | 2021-04-16 | 北京天融信网络安全技术有限公司 | Network bridge transparent proxy method, device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116233237B (en) | 2024-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109347817B (en) | Method and device for network security redirection | |
| US20210119975A1 (en) | Secure network communication system and method | |
| US7107609B2 (en) | Stateful packet forwarding in a firewall cluster | |
| US7293108B2 (en) | Generic external proxy | |
| US7567573B2 (en) | Method for automatic traffic interception | |
| CN111314281A (en) | Method for forwarding attack traffic to honeypot | |
| CN101399838B (en) | Method, apparatus and system for processing packet | |
| CN101563949A (en) | Management of seamless handover between different communication systems in an IP dual-mode terminal | |
| IL131831A (en) | Nomadic translator or router | |
| US20070192434A1 (en) | Network system, terminal, and gateway | |
| US20110047261A1 (en) | Information communication apparatus, information communication method, and program | |
| US7249191B1 (en) | Transparent bridge that terminates TCP connections | |
| CN110611724A (en) | Internet of things gateway intranet penetration method based on reverse proxy | |
| EP1700430B1 (en) | Method and system for maintaining a secure tunnel in a packet-based communication system | |
| CN102917082B (en) | Penetrate information push method and the system of network address translation | |
| CN111262721A (en) | Virtual intranet acceleration method, system, configuration method, device, equipment and medium | |
| CN108848198B (en) | Portal differential pushing method of multi-service forwarding mode AP | |
| CN116233237B (en) | Transparent proxy network shutdown and working method thereof | |
| CN107786536B (en) | TCP reverse port penetration method and system thereof | |
| CN103001966A (en) | Processing and identifying method and device for private network IP | |
| US20190386953A1 (en) | Method for Transmitting at Least One IP Data Packet, Related System and Computer Program Product | |
| CN109587204B (en) | Method and device for accessing public network and electronic equipment | |
| EP2600568B1 (en) | Relay server and relay communication system | |
| US20040114591A1 (en) | IP Routing Between Modules on a PLC Backplane | |
| CN113114643B (en) | Operation and maintenance access method and system of operation and maintenance auditing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |