zoukankan      html  css  js  c++  java

  • 深入理解linux nat

    NOTE: 多个IP 地址可以映射(SNAT)到一个出口网络地址。一个出口网络地址也可以映射(DNAT)到多个IP 地址,但是只能做load balance使用。

    Netfilter 原理

    连接跟踪(conntrack):原理、应用及 Linux 内核实现    

    conntrack

    conntrack icmp and TCP package

    ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 30 flow entries have been shown.
icmp     1 29 src=10.245.51.48 dst=172.16.30.4 type=8 code=0 id=161 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=161 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.14 dst=172.16.30.4 type=8 code=0 id=12549 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=12549 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.47 dst=172.16.30.4 type=8 code=0 id=89 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=89 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1


ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 30 flow entries have been shown.
icmp     1 29 src=10.245.51.48 dst=172.16.30.4 type=8 code=0 id=161 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=161 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=2
icmp     1 29 src=10.245.51.14 dst=172.16.30.4 type=8 code=0 id=12549 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=12549 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.47 dst=172.16.30.4 type=8 code=0 id=89 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=89 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1


    ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 29 flow entries have been shown.
tcp      6 117 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=38100 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=38100 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 116 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=59506 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=59506 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1


    conntrack -L |grep 172.16.30
tcp      6 114 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=38100 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.47 sport=80 dport=38100 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 117 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=59506 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.48 sport=80 dport=59506 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

     REF:  Matching connection tracking stateful metainformation 每个字段的含义

    ip netns exec sdewan-cnf conntrack -L -p tcp –src-nat |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 26 flow entries have been shown.
tcp      6 98 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=39108 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=39108 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 95 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=45938 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=45938 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

sudo conntrack -L -p tcp –src-nat |grep 172.16.30
tcp      6 45 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=39108 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.48 sport=80 dport=39108 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 42 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=45938 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.47 sport=80 dport=45938 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

    REF:网络地址转换(NAT)之连接跟踪工具 | Linux 中国 

    REF:

    云计算底层技术-netfilter框架研究 

    云计算底层技术-虚拟网络设备(Bridge,VLAN)

    IPTables  
  • 相关阅读:
    FBWF和EWF的对比
    还原数据库备份文件时,关于“System.Data.SqlClient.SqlError:媒体集有2个媒体簇,但只提供了1个。必须提供所有成员”的处理方式
    C#基础(八)——C#数据类型的转换
    C#基础(七)——静态类与非静态类、静态成员的区别
    C#基础(六)——值类型与引用类型
    C#基础(五)——类中私有构造函数作用
    C#基础(四)——ref与out的区别
    C#基础(三)—重载与覆盖
    oracle exists和 not exists 的用法
    easyUI 常见问题点
  • 原文地址:https://www.cnblogs.com/shaohef/p/14869688.html
Copyright © 2011-2022 走看看