如何做网站方案,合肥市建设网,创新网站建设论文,网店推广常用的方法原标题#xff1a;实战经验#xff1a;Linux Source NAT在Ping场景下的应用有时候#xff0c;有这样的一种需求#xff1a;需要修改IP数据包中的源地址#xff0c;比如#xff0c;从某一个主机发送Ping包到另一个主机#xff0c;需要修改源地址为另一个源(通常#xff…原标题实战经验Linux Source NAT在Ping场景下的应用有时候有这样的一种需求需要修改IP数据包中的源地址比如从某一个主机发送Ping包到另一个主机需要修改源地址为另一个源(通常发出Ping请求的主机有多个网卡地址)。为了解决这一需求Linux下的netfilter组件中有个Source NAT的功能可以修改IP数据包中的源地址。此功能实际上是通过iptables在POSTROUTING链中添加一条规则此规则在数据包被最终发送出去之前被应用。下面是一个实例主机A网络配置eth0: 192.168.10.10eth1: 172.18.10.10主机B:eth0: 192.168.10.11) 第一张场景从A发送Ping请求到B:# ping 192.168.10.1通过WireShark抓包可以知道Ping包中的源地址为192.168.10.10(默认Ping请求从eth0出来)目的地址是192.168.10.1。2) 第二种场景从A发送Ping请求到B并使用-I选项# ping 192.168.10.1 -I 172.18.10.10在此场景下这里指定了-I选项表明指定源地址为172.18.10.10。所以Ping请求包中的源地址变为172.18.10.10目的地址不变依然为192.168.10.1。问题来了怎样在第二种场景中(在指定-I选项的情况下)将源地址修改为192.168.10.10?解决方法添加Source NAT规则。具体步骤如下添加规则# iptables -t nat -A POSTROUTING -o eth0 -j SNAT –to 192.168.10.10添加完上述规则后再次执行ping 192.168.10.1 -I 172.18.10.10可以通过抓包发现Ping请求中的源地址已经由172.18.10.10修改为192.168.10.10。备注如果想删除上面添加的Source NAT规则可以执行如下指令删除删除规则# iptables -t nat -A POSTROUTING -o eth0 -j SNAT –to 192.168.10.10查看规则# iptables -nvL -t nat参考资料以下内容来自netfilter官网帮助文档也记录在这里留作参考1) Source NATYou want to do Source NAT; change the source address of connections to something different. This is done in the POSTROUTING chain, just before it is finally sent out; this is an important detail, since it means that anything else on the Linux box itself (routing, packet filtering) will see the packet unchanged. It also means that the -o’ (outgoing interface) option can be used.Source NAT is specified using -j SNAT’, and the –to-source’ option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).MasqueradingThere is a specialized case of Source NAT called masquerading: it should only be used for dynamically-assigned IP addresses, such as standard dialups (for static IP addresses, use SNAT above).You don’t need to put in the source address explicitly with masquerading: it will use the source address of the interface the packet is going out from. But more importantly, if the link goes down, the connections (which are now lost anyway) are forgotten, meaning fewer glitches when connection comes back up with a new IP address.2) Destination NATThis is done in the PREROUTING chain, just as the packet comes in; this means that anything else on the Linux box itself (routing, packet filtering) will see the packet going to its real’ destination. It also means that the -i’ (incoming interface) option can be used.Destination NAT is specified using -j DNAT’, and the –to-destination’ option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).RedirectionThere is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface.Note that squid needs to be configured to know it’s a transparent proxy!返回搜狐查看更多责任编辑
