zoukankan      html  css  js  c++  java

  • 深入理解linux nat

    NOTE: 多个IP 地址可以映射(SNAT)到一个出口网络地址。一个出口网络地址也可以映射(DNAT)到多个IP 地址,但是只能做load balance使用。

    Netfilter 原理

    连接跟踪(conntrack):原理、应用及 Linux 内核实现    

    conntrack

    conntrack icmp and TCP package

    ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 30 flow entries have been shown.
icmp     1 29 src=10.245.51.48 dst=172.16.30.4 type=8 code=0 id=161 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=161 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.14 dst=172.16.30.4 type=8 code=0 id=12549 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=12549 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.47 dst=172.16.30.4 type=8 code=0 id=89 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=89 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1


ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 30 flow entries have been shown.
icmp     1 29 src=10.245.51.48 dst=172.16.30.4 type=8 code=0 id=161 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=161 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=2
icmp     1 29 src=10.245.51.14 dst=172.16.30.4 type=8 code=0 id=12549 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=12549 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 29 src=10.245.51.47 dst=172.16.30.4 type=8 code=0 id=89 src=172.16.30.4 dst=172.16.30.1 type=0 code=0 id=89 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1


    ip netns exec sdewan-cnf conntrack -L |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 29 flow entries have been shown.
tcp      6 117 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=38100 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=38100 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 116 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=59506 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=59506 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1


    conntrack -L |grep 172.16.30
tcp      6 114 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=38100 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.47 sport=80 dport=38100 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 117 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=59506 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.48 sport=80 dport=59506 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

     REF:  Matching connection tracking stateful metainformation 每个字段的含义

    ip netns exec sdewan-cnf conntrack -L -p tcp –src-nat |grep 172.16.30
conntrack v1.4.4 (conntrack-tools): 26 flow entries have been shown.
tcp      6 98 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=39108 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=39108 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 95 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=45938 dport=80 [UNREPLIED] src=172.16.30.5 dst=172.16.30.1 sport=80 dport=45938 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

sudo conntrack -L -p tcp –src-nat |grep 172.16.30
tcp      6 45 SYN_SENT src=10.245.51.48 dst=172.16.30.5 sport=39108 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.48 sport=80 dport=39108 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp      6 42 SYN_SENT src=10.245.51.47 dst=172.16.30.5 sport=45938 dport=80 [UNREPLIED] src=172.16.30.5 dst=10.245.51.47 sport=80 dport=45938 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1

    REF:网络地址转换(NAT)之连接跟踪工具 | Linux 中国 

    REF:

    云计算底层技术-netfilter框架研究 

    云计算底层技术-虚拟网络设备(Bridge,VLAN)

    IPTables  
  • 相关阅读:
    亿级 Web 系统的容错性建设实践
    Spring 4支持的Java 8新特性一览
    Java多线程干货系列—(一)Java多线程基础
    Sublime Text 2 实用快捷键(Mac OS X)
    spring-事务管理
    100 个 Linux 常用命令大全
    这些年MAC下我常用的那些快捷键
    Java 容器源码分析之HashMap多线程并发问题分析
    MySQL索引结构--由 B-/B+树看
    Java 容器之 Connection栈队列及一些常用
  • 原文地址:https://www.cnblogs.com/shaohef/p/14869688.html
Copyright © 2011-2022 走看看