- 论坛徽章:
- 5
|
本板块另一位网友的测试结果:
normal 帅哥
UID:20227707
谢谢ssffzz1建议!
分享下debug IP PA 结果:
(说明下环境 内网IP 192.168.1.103<-----> 路由INTERNET 接口IP: 61.131.21.125 <-----> 外网的IP 218.30.115.227 )
路由上设置ACL 100 PERMIT TCP ANY HOST 192.168.1.103 EST GT 1023
INTERNET 接口上: IP ACC 100 IN
#内网访问外网的IP 218.30.115.227 过程:
PV4: version = 4 hdrlen = 5 tos = 0 total len = 40 ID = 1635 ,
flags 2 frag_offset = 0 ttl = 128 protocol = 6 checksum = 36726 ,
src = 192.168.1.103 dest = 218.30.115.227 if = eth0/1.1 ,
received ,
45 00 00 28 06 63 40 00 80 06 8F 76 0A 8E 0C 67
DA 1E 73 E3 0A C3 00 50 B0 4B 33 4F 13 EE A4 69
50 10 FD F5 A5 E2 00 00 00 00 00 00 00 00 3C FC
Filter*: packet proto 6 (192.168.1.103:2755) -> (218.30.115.227:80)
Filter*: No acl applied,PERMIT
NAT*: 0x8bbf5120 state=established direction=original hook=postrouting
packet's source address changed ---
proto 6 (192.168.1.103:2755) >> (61.131.21.125:2755)
IPV4: version = 4 hdrlen = 5 tos = 0 total len = 40 ID = 1635 ,
flags 2 frag_offset = 0 ttl = 127 protocol = 6 checksum = 37337 ,
src = 61.131.21.125 dest = 218.30.115.227 if = eth0/0 ,
sending ,
45 00 00 28 06 63 40 00 7F 06 91 D9 DA 42 3B 4F
DA 1E 73 E3 0A C3 00 50 B0 4B 33 4F 13 EE A4 69
50 10 FD F5 A7 45 00 00 00 00 00 00 00 00 3C FC
#外网返回的过程
IPV4: version = 4 hdrlen = 5 tos = 0 total len = 40 ID = 53357 ,
flags 2 frag_offset = 0 ttl = 246 protocol = 6 checksum = 20686 ,
src = 218.30.115.227 dest = 61.131.21.125 if = eth0/0 ,
received ,
45 00 00 28 D0 6D 40 00 F6 06 50 CE DA 1E 73 E3
DA 42 3B 4F 00 50 0A C3 13 EE A3 B7 B0 4B 33 4E
50 11 12 84 93 69 00 00 AA AA 00 00 AA AA C8 F5
NAT*: 0x8bbf5120 state=established direction=reply hook=prerouting
packet's destination address changed ---
proto 6 (61.131.21.125:2755) >> (192.168.1.103:2755)
Filter*: packet proto 6 (218.30.115.227:80) -> (192.168.1.103:2755)
Filter*: PERMIT
IPV4: version = 4 hdrlen = 5 tos = 0 total len = 40 ID = 53357 ,
flags 2 frag_offset = 0 ttl = 245 protocol = 6 checksum = 20587 ,
src = 218.30.115.227 dest = 192.168.1.103 if = eth0/1.1 ,
sending ,
45 00 00 28 D0 6D 40 00 F5 06 50 6B DA 1E 73 E3
0A 8E 0C 67 00 50 0A C3 13 EE A3 B7 B0 4B 33 4E
50 11 12 84 92 06 00 00 AA AA 00 00 AA AA C8 F5
结论源地址转换,in包是先NAT 后ACL FILTER ;对于NAT INSIDE SOURCE STATIC 的方式也是类似,实验过。
DNAT 方式没有DEBUG实验过,不知道是什么情况?有环境的实验下,debug 结果告诉下。 |
|