zoukankan      html  css  js  c++  java

  • 深入理解linux nat

    NOTE: 多个IP 地址可以映射(SNAT)到一个出口网络地址。一个出口网络地址也可以映射(DNAT)到多个IP 地址,但是只能做load balance使用。

    Netfilter 原理

    连接跟踪(conntrack):原理、应用及 Linux 内核实现    

    conntrack

    conntrack icmp and TCP package

    ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 30 flow entries have been shown.
icmp     1 29 src=10.245.51.48 dst=172.16.30.4 type=8 code=0 id=161 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=161 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.14 dst=172.16.30.4 type=8 code=0 id=12549 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=12549 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.47 dst=172.16.30.4 type=8 code=0 id=89 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=89 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1


ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 30 flow entries have been shown.
icmp     1 29 src=10.245.51.48 dst=172.16.30.4 type=8 code=0 id=161 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=161 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=2
icmp     1 29 src=10.245.51.14 dst=172.16.30.4 type=8 code=0 id=12549 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=12549 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.47 dst=172.16.30.4 type=8 code=0 id=89 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=89 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1


    ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 29 flow entries have been shown.
tcp      6 117 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=38100 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=38100 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 116 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=59506 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=59506 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1


    conntrack -L |grep 172.16.30
tcp      6 114 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=38100 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.47 sport=80 dport=38100 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 117 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=59506 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.48 sport=80 dport=59506 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

     REF:  Matching connection tracking stateful metainformation 每个字段的含义

    ip netns exec sdewan-cnf conntrack -L -p tcp –src-nat |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 26 flow entries have been shown.
tcp      6 98 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=39108 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=39108 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 95 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=45938 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=45938 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

sudo conntrack -L -p tcp –src-nat |grep 172.16.30
tcp      6 45 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=39108 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.48 sport=80 dport=39108 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 42 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=45938 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.47 sport=80 dport=45938 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

    REF:网络地址转换(NAT)之连接跟踪工具 | Linux 中国 

    REF:

    云计算底层技术-netfilter框架研究 

    云计算底层技术-虚拟网络设备(Bridge,VLAN)

    IPTables  
  • 相关阅读:
    有高程点数据,想生成等高线数据后再生成TIN
    【转】ArcGIS Server安装
    CSS定义不规则图片排版
    ArcEngine实现打开shapfile、Raster、TIN文件
    VSS在签出工程时老提示"network not found"或者''Invalid handle"的解决办法
    SiteServer CMS 上传文件过滤,只能是图片格式。
    突然记起我也遇到过一个麻花姐
    六一快乐
    杭州,婺源
    <转>一斗米养个仇人
  • 原文地址:https://www.cnblogs.com/shaohef/p/14869688.html
Copyright © 2011-2022 走看看