zoukankan      html  css  js  c++  java

  • 深入理解linux nat

    NOTE: 多个IP 地址可以映射(SNAT)到一个出口网络地址。一个出口网络地址也可以映射(DNAT)到多个IP 地址,但是只能做load balance使用。

    Netfilter 原理

    连接跟踪(conntrack):原理、应用及 Linux 内核实现    

    conntrack

    conntrack icmp and TCP package

    ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 30 flow entries have been shown.
icmp     1 29 src=10.245.51.48 dst=172.16.30.4 type=8 code=0 id=161 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=161 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.14 dst=172.16.30.4 type=8 code=0 id=12549 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=12549 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.47 dst=172.16.30.4 type=8 code=0 id=89 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=89 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1


ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 30 flow entries have been shown.
icmp     1 29 src=10.245.51.48 dst=172.16.30.4 type=8 code=0 id=161 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=161 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=2
icmp     1 29 src=10.245.51.14 dst=172.16.30.4 type=8 code=0 id=12549 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=12549 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.47 dst=172.16.30.4 type=8 code=0 id=89 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=89 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1


    ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 29 flow entries have been shown.
tcp      6 117 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=38100 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=38100 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 116 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=59506 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=59506 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1


    conntrack -L |grep 172.16.30
tcp      6 114 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=38100 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.47 sport=80 dport=38100 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 117 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=59506 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.48 sport=80 dport=59506 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

     REF:  Matching connection tracking stateful metainformation 每个字段的含义

    ip netns exec sdewan-cnf conntrack -L -p tcp –src-nat |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 26 flow entries have been shown.
tcp      6 98 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=39108 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=39108 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 95 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=45938 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=45938 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

sudo conntrack -L -p tcp –src-nat |grep 172.16.30
tcp      6 45 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=39108 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.48 sport=80 dport=39108 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 42 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=45938 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.47 sport=80 dport=45938 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

    REF:网络地址转换(NAT)之连接跟踪工具 | Linux 中国 

    REF:

    云计算底层技术-netfilter框架研究 

    云计算底层技术-虚拟网络设备(Bridge,VLAN)

    IPTables  
  • 相关阅读:
    centos rm -rf 恢复删除的文件
    默认hosts后面为files dns
    linux shell expr 使用
    QQ,MSN,Skype在线客服代码
    LocalResizeIMG前端HTML5本地压缩图片上传,兼容移动设备IOS,android
    php读取和保存base64编码的图片内容
    linux shell 字符串操作(长度,查找,替换)详解
    tomcat的简单配置与适用默认的web应用
    mybatis左连接需要输出左表的指定内容与筛选
    first head in html 笔记
  • 原文地址:https://www.cnblogs.com/shaohef/p/14869688.html
Copyright © 2011-2022 走看看