- 论坛徽章:
- 1
|
linux策略路由的问题
原帖由 "JohnBull"]另外纠正前面的一个错误观点:NAT是第三层的操作,与SOCKET无关.[/quote 发表:
若你指其他 NAT "產品",那我不便說甚麼。
不過我們這裡談的是 iptables ,那就會改 socket pair:
source socket (SNAT)
destination socket (DNAT)
要驗正也不難:用多個 client 透過 linux iptables 的 SNAT 連外,
當兩個 client 端 port 相同的時後,抓 iptables 的封包來看即可見分曉...
如下為 man iptables 中關於 NAT 設定的說明:
[quote] SNAT
This target is only valid in the nat table, in the POSTROUTING chain.
It specifies that the source address of the packet should be modified
(and all future packets in this connection will also be mangled), and
rules should cease being examined. It takes one type of option:
--to-source ipaddr[-ipaddr][:port-port]
which can specify a single new source IP address, an inclusive
range of IP addresses, and optionally, a port range (which is
only valid if the rule also specifies -p tcp or -p udp). If no
port range is specified, then source ports below 512 will be
mapped to other ports below 512: those between 512 and 1023
inclusive will be mapped to ports below 1024, and other ports
will be mapped to 1024 or above. Where possible, no port alter-
ation will occur.
You can add several --to-source options. If you specify more
than one source address, either via an address range or multiple
--to-source options, a simple round-robin (one after another in
cycle) takes place between these adresses.
DNAT
This target is only valid in the nat table, in the PREROUTING and OUT-
PUT chains, and user-defined chains which are only called from those
chains. It specifies that the destination address of the packet should
be modified (and all future packets in this connection will also be
mangled), and rules should cease being examined. It takes one type of
option:
--to-destination ipaddr[-ipaddr][:port-port]
which can specify a single new destination IP address, an inclu-
sive range of IP addresses, and optionally, a port range (which
is only valid if the rule also specifies -p tcp or -p udp). If
no port range is specified, then the destination port will never
be modified.
You can add several --to-destination options. If you specify more
than one destination address, either via an address range or
multiple --to-destination options, a simple round-robin (one
after another in cycle) load balancing takes place between these
adresses.
MASQUERADE
This target is only valid in the nat table, in the POSTROUTING chain.
It should only be used with dynamically assigned IP (dialup) connec-
tions: if you have a static IP address, you should use the SNAT target.
Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down. This is the
correct behavior when the next dialup is unlikely to have the same
interface address (and hence any established connections are lost any-
way). It takes one option:
--to-ports port[-port]
This specifies a range of source ports to use, overriding the
default SNAT source port-selection heuristics (see above). This
is only valid if the rule also specifies -p tcp or -p udp. |
|