努力挣扎的生活
yangfk
2026-01-26

socat端口转发

//

# socat端口转发

在部署服务的时候,可能由于某个中间件服务版本低,而存在漏洞,又不太好升级的情况下,需要通过配置防火墙来阻止流量请求。
当docker部署的服务,做的端口映射会绕过firewald防火墙,导致端口漏洞泄露,这个时候,可以结合 socat 来做防火墙规则处理
容器内监听IP:127.0.0.1, 再由socat 做0.0.0.0 端口转发,通过firewalld做IP,端口限制
  • 安装工具

Ubuntu: apt install socat -y

**centos: ** yum install socat -y

# 运行kafka服务

  • 创建一个docker运行的kafka
cat >docker-compose.yaml<<'EOF'
version: '3'
services:
  dm-kafka:
    container_name: dm-kafka
    restart: always
    image: bitnami/kafka:3.6.1
    environment:
      ALLOW_PLAINTEXT_LISTENER: 'yes'
      KAFKA_CFG_LOG_RETENTION_MS: 60000
      KAFKA_CFG_MAX_REQUEST_SIZE: 524288000
      KAFKA_CFG_MESSAGE_MAX_BYTES: 524288000
      KAFKA_CFG_REPLICA_FETCH_MAX_BYTES: 524288000
      KAFKA_CFG_FETCH_MESSAGE_MAX_BYTES: 524288000
      KAFKA_CFG_PARTITION_FETCH_BYTES: 524288000
      KAFKA_CFG_NODE_ID: 0
      KAFKA_CFG_PROCESS_ROLES: controller,broker
      KAFKA_CFG_LISTENERS: PLAINTEXT://:9092,CONTROLLER://:9093
      KAFKA_CFG_ADVERTISED_LISTENERS: PLAINTEXT://192.168.5.154:9092
      KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT
      KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: 0@127.0.0.1:9093
      KAFKA_CFG_CONTROLLER_LISTENER_NAMES: CONTROLLER
    volumes:
      - /etc/localtime:/etc/localtime
      - /etc/timezone:/etc/timezone
      - "./kafka/data:/bitnami/kafka/data/"
    ports:
      - "127.0.0.1:9091:9092"
    network_mode: bridge
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

-启动服务:

docker-compose -f docker-compose.yaml up -d

# 配置端口转发

监听端口:0.0.0.0:9092 ,转发本地端口:127.0.0.1:9091

cat >/usr/lib/systemd/system/socat-9092.service<<'EOF'
[Unit]
Description=TCP forward 0.0.0.0:9092
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
# 重启策略:总是重启,10 秒间隔
Restart=always
RestartSec=10
# 运行用户与组
User=nobody
Group=nogroup
# 限制打开文件数
LimitNOFILE=65536

# 关键行:socat 转发
# -d -d  打印详细日志到 stderr(journald 捕获)
# TCP-LISTEN 重用端口、fork 多并发
ExecStart=/usr/bin/socat -d -d \
    TCP-LISTEN:9092,reuseaddr,fork \
    TCP:127.0.0.1:9091

# 优雅关闭
KillMode=mixed
KillSignal=SIGTERM

[Install]
WantedBy=multi-user.target
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  • 启动服务端口:9092
systemctl daemon-reload
systemctl start socat-9092.service
systemctl enable socat-9092.service
1
2
3
  • 配置firewalld富规则
firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.5.154 port port="9092" protocol="tcp" accept'
1
//
如果此文章对您有帮助,点击 -->> 请博主喝咖啡 (opens new window)
上次更新: 2026/01/27, 11:58:45
ubuntu2204编译安装php7.4.33
zabbix 部署

zabbix 部署

最近更新
01
vastbase配置postgis
 01-21
02
docker运行异常
 12-22
03
容器运行polardb-pg配置主从
 11-27
更多文章>
Theme by Vdoing | Copyright © 2019-2026 yangfk | 湘ICP备2021014415号-1
×
//