欧美free性护士vide0shd,老熟女,一区二区三区,久久久久夜夜夜精品国产,久久久久久综合网天天,欧美成人护士h版

首頁綜合 正文
目錄

柚子快報邀請碼778899分享:網(wǎng)絡(luò) DNAT和SNAT實踐

柚子快報邀請碼778899分享:網(wǎng)絡(luò) DNAT和SNAT實踐

http://yzkb.51969.com/

NAT分SNAT和DNAT兩種。從名字上區(qū)分:

SNAT將源IP地址替換為出口網(wǎng)絡(luò)的IP地址,以便內(nèi)網(wǎng)地址可以訪問外網(wǎng)服務(wù)。一般受限于公網(wǎng)IP有限,一個內(nèi)網(wǎng)集合想訪問外網(wǎng)服務(wù),則用統(tǒng)一的出口做代理。出口配置公網(wǎng)IP,幫助從此發(fā)出的包找到回來的路。 DNAT將目的IP地址替換為真實服務(wù)的IP地址,以便外網(wǎng)地址可以訪問內(nèi)網(wǎng)服務(wù)。一般情況用于內(nèi)網(wǎng)服務(wù)要暴露到公網(wǎng),提供統(tǒng)一的入口地址。

我們用PC1、和EXT模擬兩個不同的子網(wǎng)環(huán)境(也可以看作內(nèi)網(wǎng)和外網(wǎng))。PXY作為網(wǎng)關(guān)

先創(chuàng)建實驗需要的namespace

ip netns add PC1

ip netns add PXY

ip netns add EXT

ip link add PC1_PXY type veth peer name PXY_PC1

ip link add PXY_EXT type veth peer name EXT_PXY

ip link set PC1_PXY netns PC1

ip link set EXT_PXY netns EXT

ip link set PXY_PC1 netns PXY

ip link set PXY_EXT netns PXY

SNAT實驗

要達(dá)到的目的:在PC1里面要能ping同EXT里面的2.2.2.2、100.100.100.2

基礎(chǔ)配置

PC1配置

[root@i-pvirg1hu ~]# ip netns exec PC1 bash

[root@i-pvirg1hu ~]# ip address add 192.168.1.1/24 dev PC1_PXY

[root@i-pvirg1hu ~]# ip link set PC1_PXY up

配置到網(wǎng)關(guān)的路由

[root@i-pvirg1hu ~]# ip route add default dev PC1_PXY via 192.168.1.254

PXY配置

[root@i-pvirg1hu ~]# ip netns exec PXY bash

[root@i-pvirg1hu ~]# ip address add 192.168.1.254/24 dev PXY_PC1

[root@i-pvirg1hu ~]# ip address add 100.100.100.1/24 dev PXY_EXT

[root@i-pvirg1hu ~]# ip link set PXY_PC1 up

[root@i-pvirg1hu ~]# ip link set PXY_EXT up

查看下當(dāng)前路由信息

[root@i-pvirg1hu ~]# ip r

100.100.100.0/24 dev PXY_EXT proto kernel scope link src 100.100.100.1

192.168.1.0/24 dev PXY_PC1 proto kernel scope link src 192.168.1.254

配置網(wǎng)關(guān)的默認(rèn)路由

[root@i-pvirg1hu ~]# ip route add default dev PXY_EXT via 100.100.100.2

EXT配置

[root@i-pvirg1hu ~]# ip netns exec EXT bash

[root@i-pvirg1hu ~]# ip address add 100.100.100.2/24 dev EXT_PXY

[root@i-pvirg1hu ~]# ip link set EXT_PXY up

SVR相關(guān)

[root@i-pvirg1hu ~]# ip link add SVR type dummy

[root@i-pvirg1hu ~]# ip address add 2.2.2.2/32 dev SVR

[root@i-pvirg1hu ~]# ip link set SVR up

查看下當(dāng)前路由信息

[root@i-pvirg1hu ~]# ip r

100.100.100.0/24 dev EXT_PXY proto kernel scope link src 100.100.100.2

[root@i-pvirg1hu ~]#

以上基礎(chǔ)配置完畢后,我們還不能在PC1上ping通2.2.2.2和100.100.100.2

配置SNAT

現(xiàn)在我們做SNAT在PXY上

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 100.100.100.1

做了SNAT后,就能ping通2.2.2.2和100.100.100.2

詳細(xì)解釋一下這條 iptables 命令:

iptables -t nat: 這個選項指定了要操作的 iptables 表為 nat 表。nat 表主要用于對數(shù)據(jù)包的源地址或目的地址進(jìn)行轉(zhuǎn)換。 -A POSTROUTING: 這個選項指定了要添加規(guī)則的鏈為 POSTROUTING 鏈。POSTROUTING 鏈?zhǔn)窃跀?shù)據(jù)包從本機(jī)轉(zhuǎn)發(fā)出去之前最后一個可以修改的位置。 -s 192.168.1.0/24: 這個選項指定了規(guī)則的匹配條件為數(shù)據(jù)包的源地址在 192.168.1.0/24 網(wǎng)段內(nèi)。也就是說,這條規(guī)則只會對從 192.168.1.0/24 網(wǎng)段發(fā)出的數(shù)據(jù)包起作用。 -j SNAT --to 100.100.100.1: 這個選項指定了如何處理匹配到的數(shù)據(jù)包。-j SNAT 表示要對數(shù)據(jù)包執(zhí)行 SNAT(Source Network Address Translation)操作,也就是修改數(shù)據(jù)包的源 IP 地址。--to 100.100.100.1 表示把數(shù)據(jù)包的源 IP 地址修改為 100.100.100.1。

總的來說,這條 iptables 規(guī)則的作用是:

在 iptables 的 nat 表的 POSTROUTING 鏈上,對從 192.168.1.0/24 網(wǎng)段發(fā)出的數(shù)據(jù)包執(zhí)行 SNAT 操作,將源 IP 地址修改為 100.100.100.1。

這種 SNAT 操作通常用于實現(xiàn)內(nèi)網(wǎng)用戶訪問外網(wǎng)時,將內(nèi)網(wǎng)地址轉(zhuǎn)換為公網(wǎng)地址的功能。例如,內(nèi)網(wǎng)用戶通過 NAT 訪問外網(wǎng)時,可以將內(nèi)網(wǎng) IP 地址修改為公網(wǎng) IP 地址 100.100.100.1。這樣可以隱藏內(nèi)網(wǎng)用戶的真實 IP 地址,提高安全性。

抓包看看

在PC1上ping -c 5 100.100.100.2

然后在EXT上抓包看看tcpdump -i EXT_PXY -nel??梢钥吹酱_實將源地址轉(zhuǎn)為了100.100.100.1

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on EXT_PXY, link-type EN10MB (Ethernet), capture size 262144 bytes

16:05:07.133629 1a:80:9a:d3:7c:a5 > 92:b9:5f:97:29:de, ethertype IPv4 (0x0800), length 98: 100.100.100.1 > 100.100.100.2: ICMP echo request, id 13262, seq 1, length 64

16:05:07.133641 92:b9:5f:97:29:de > 1a:80:9a:d3:7c:a5, ethertype IPv4 (0x0800), length 98: 100.100.100.2 > 100.100.100.1: ICMP echo reply, id 13262, seq 1, length 64

16:05:08.160148 1a:80:9a:d3:7c:a5 > 92:b9:5f:97:29:de, ethertype IPv4 (0x0800), length 98: 100.100.100.1 > 100.100.100.2: ICMP echo request, id 13262, seq 2, length 64

16:05:08.160173 92:b9:5f:97:29:de > 1a:80:9a:d3:7c:a5, ethertype IPv4 (0x0800), length 98: 100.100.100.2 > 100.100.100.1: ICMP echo reply, id 13262, seq 2, length 64

16:05:09.185148 1a:80:9a:d3:7c:a5 > 92:b9:5f:97:29:de, ethertype IPv4 (0x0800), length 98: 100.100.100.1 > 100.100.100.2: ICMP echo request, id 13262, seq 3, length 64

16:05:09.185186 92:b9:5f:97:29:de > 1a:80:9a:d3:7c:a5, ethertype IPv4 (0x0800), length 98: 100.100.100.2 > 100.100.100.1: ICMP echo reply, id 13262, seq 3, length 64

16:05:10.208447 1a:80:9a:d3:7c:a5 > 92:b9:5f:97:29:de, ethertype IPv4 (0x0800), length 98: 100.100.100.1 > 100.100.100.2: ICMP echo request, id 13262, seq 4, length 64

16:05:10.208497 92:b9:5f:97:29:de > 1a:80:9a:d3:7c:a5, ethertype IPv4 (0x0800), length 98: 100.100.100.2 > 100.100.100.1: ICMP echo reply, id 13262, seq 4, length 64

16:05:11.232869 1a:80:9a:d3:7c:a5 > 92:b9:5f:97:29:de, ethertype IPv4 (0x0800), length 98: 100.100.100.1 > 100.100.100.2: ICMP echo request, id 13262, seq 5, length 64

16:05:11.232910 92:b9:5f:97:29:de > 1a:80:9a:d3:7c:a5, ethertype IPv4 (0x0800), length 98: 100.100.100.2 > 100.100.100.1: ICMP echo reply, id 13262, seq 5, length 64

16:05:12.224767 1a:80:9a:d3:7c:a5 > 92:b9:5f:97:29:de, ethertype ARP (0x0806), length 42: Request who-has 100.100.100.2 tell 100.100.100.1, length 28

16:05:12.224863 92:b9:5f:97:29:de > 1a:80:9a:d3:7c:a5, ethertype ARP (0x0806), length 42: Reply 100.100.100.2 is-at 92:b9:5f:97:29:de, length 28

深入

todo

DNAT實驗

要達(dá)到的效果是在EXT里面ping 100.100.100.1時在PC1上能收到對應(yīng)的包

我們在PXY上做DNAT

iptables -t nat -A PREROUTING -d 100.100.100.1 -j DNAT --to-destination 192.168.1.1

這條 iptables 命令的作用是設(shè)置 DNAT(目標(biāo) NAT)規(guī)則,用于將目的地址為 100.100.100.1 的數(shù)據(jù)包重定向到 192.168.1.1。具體來說:

iptables -t nat -A PREROUTING: 這部分表示添加一條 NAT 表的 PREROUTING 鏈規(guī)則。PREROUTING 鏈?zhǔn)窃跀?shù)據(jù)包進(jìn)入本機(jī)時被調(diào)用的。 -d 100.100.100.1: 這部分指定了目的地址為 100.100.100.1 的數(shù)據(jù)包才會被這條規(guī)則匹配到。 -j DNAT: 這部分指定了當(dāng)規(guī)則被匹配時要執(zhí)行的動作是 DNAT。DNAT 動作會將數(shù)據(jù)包的目的 IP 地址轉(zhuǎn)換為指定的地址。 --to-destination 192.168.1.1: 這部分指定了數(shù)據(jù)包的目的地址要轉(zhuǎn)換為 192.168.1.1。

綜合起來,這條命令的作用是:當(dāng)數(shù)據(jù)包的目的地址為 100.100.100.1 時,將其目的地址轉(zhuǎn)換為 192.168.1.1。這通常用于實現(xiàn)端口轉(zhuǎn)發(fā)或虛擬主機(jī)等功能,例如將訪問 100.100.100.1:80 的流量轉(zhuǎn)發(fā)到內(nèi)部的 192.168.1.1:80。

添加規(guī)則后,用檢查下iptables -t nat -vnL檢查下,可以看到成功添加

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

0 0 DNAT all -- * * 0.0.0.0/0 100.100.100.1 to:192.168.1.1

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

4 336 SNAT all -- * * 192.168.1.0/24 0.0.0.0/0 to:100.100.100.1

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

接著我們?nèi)XT上ping -c 5 100.100.100.1,然后在PC1上抓包看效果

dropped privs to tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on PC1_PXY, link-type EN10MB (Ethernet), capture size 262144 bytes

14:39:51.535160 96:20:c1:bf:de:38 > f2:59:8f:fd:4c:1f, ethertype IPv4 (0x0800), length 98: 100.100.100.2 > 192.168.1.1: ICMP echo request, id 5192, seq 1, length 64

14:39:51.535174 f2:59:8f:fd:4c:1f > 96:20:c1:bf:de:38, ethertype IPv4 (0x0800), length 98: 192.168.1.1 > 100.100.100.2: ICMP echo reply, id 5192, seq 1, length 64

14:39:52.570353 96:20:c1:bf:de:38 > f2:59:8f:fd:4c:1f, ethertype IPv4 (0x0800), length 98: 100.100.100.2 > 192.168.1.1: ICMP echo request, id 5192, seq 2, length 64

14:39:52.570377 f2:59:8f:fd:4c:1f > 96:20:c1:bf:de:38, ethertype IPv4 (0x0800), length 98: 192.168.1.1 > 100.100.100.2: ICMP echo reply, id 5192, seq 2, length 64

14:39:53.594362 96:20:c1:bf:de:38 > f2:59:8f:fd:4c:1f, ethertype IPv4 (0x0800), length 98: 100.100.100.2 > 192.168.1.1: ICMP echo request, id 5192, seq 3, length 64

14:39:53.594386 f2:59:8f:fd:4c:1f > 96:20:c1:bf:de:38, ethertype IPv4 (0x0800), length 98: 192.168.1.1 > 100.100.100.2: ICMP echo reply, id 5192, seq 3, length 64

14:39:54.618336 96:20:c1:bf:de:38 > f2:59:8f:fd:4c:1f, ethertype IPv4 (0x0800), length 98: 100.100.100.2 > 192.168.1.1: ICMP echo request, id 5192, seq 4, length 64

14:39:54.618363 f2:59:8f:fd:4c:1f > 96:20:c1:bf:de:38, ethertype IPv4 (0x0800), length 98: 192.168.1.1 > 100.100.100.2: ICMP echo reply, id 5192, seq 4, length 64

14:39:55.642347 96:20:c1:bf:de:38 > f2:59:8f:fd:4c:1f, ethertype IPv4 (0x0800), length 98: 100.100.100.2 > 192.168.1.1: ICMP echo request, id 5192, seq 5, length 64

14:39:55.642371 f2:59:8f:fd:4c:1f > 96:20:c1:bf:de:38, ethertype IPv4 (0x0800), length 98: 192.168.1.1 > 100.100.100.2: ICMP echo reply, id 5192, seq 5, length 64

用nc驗證下,在PC1監(jiān)聽一個端口

nc -l -p 9999

在EXT去用nc連接

nc 100.100.100.1 9999

然后從PC1發(fā)消息EXT也能正常收到,DNAT成功

柚子快報邀請碼778899分享:網(wǎng)絡(luò) DNAT和SNAT實踐

http://yzkb.51969.com/

推薦文章

評論可見,查看隱藏內(nèi)容

本文內(nèi)容根據(jù)網(wǎng)絡(luò)資料整理,出于傳遞更多信息之目的,不代表金鑰匙跨境贊同其觀點和立場。

轉(zhuǎn)載請注明,如有侵權(quán),聯(lián)系刪除。

本文鏈接:http://m.gantiao.com.cn/post/19467904.html

發(fā)布評論

您暫未設(shè)置收款碼

請在主題配置——文章設(shè)置里上傳

掃描二維碼手機(jī)訪問

文章目錄