zoukankan      html  css  js  c++  java

  • 深入理解linux nat

    NOTE: 多个IP 地址可以映射(SNAT)到一个出口网络地址。一个出口网络地址也可以映射(DNAT)到多个IP 地址,但是只能做load balance使用。

    Netfilter 原理

    连接跟踪(conntrack):原理、应用及 Linux 内核实现    

    conntrack

    conntrack icmp and TCP package

    ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 30 flow entries have been shown.
icmp     1 29 src=10.245.51.48 dst=172.16.30.4 type=8 code=0 id=161 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=161 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.14 dst=172.16.30.4 type=8 code=0 id=12549 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=12549 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.47 dst=172.16.30.4 type=8 code=0 id=89 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=89 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1


ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 30 flow entries have been shown.
icmp     1 29 src=10.245.51.48 dst=172.16.30.4 type=8 code=0 id=161 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=161 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=2
icmp     1 29 src=10.245.51.14 dst=172.16.30.4 type=8 code=0 id=12549 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=12549 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.47 dst=172.16.30.4 type=8 code=0 id=89 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=89 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1


    ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 29 flow entries have been shown.
tcp      6 117 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=38100 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=38100 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 116 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=59506 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=59506 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1


    conntrack -L |grep 172.16.30
tcp      6 114 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=38100 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.47 sport=80 dport=38100 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 117 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=59506 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.48 sport=80 dport=59506 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

     REF:  Matching connection tracking stateful metainformation 每个字段的含义

    ip netns exec sdewan-cnf conntrack -L -p tcp –src-nat |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 26 flow entries have been shown.
tcp      6 98 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=39108 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=39108 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 95 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=45938 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=45938 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

sudo conntrack -L -p tcp –src-nat |grep 172.16.30
tcp      6 45 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=39108 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.48 sport=80 dport=39108 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 42 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=45938 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.47 sport=80 dport=45938 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

    REF:网络地址转换(NAT)之连接跟踪工具 | Linux 中国 

    REF:

    云计算底层技术-netfilter框架研究 

    云计算底层技术-虚拟网络设备(Bridge,VLAN)

    IPTables  
  • 相关阅读:
    OPC-UA和IEC 62541协议
    excel多级部门字符串截取其中一端的公式
    mac 显示音频文件 速率
    解决:Mac安装HOME brew 拒绝了我们的连接请求解决方案
    ss自定义规则
    macos关闭更新功能
    mac 使用触摸板左键长按选择是,总是弹出系统自带词典的问题
    固定区域截图快速粘贴到表格
    Outlook 2016 for Mac 更改邮件存放路径
    微信发送高清视频(避免被微信压缩变模糊),100M以内
  • 原文地址:https://www.cnblogs.com/shaohef/p/14869688.html
Copyright © 2011-2022 走看看