Next Previous Contents

5. ±±¨î­þ¨Ç­n NAT

±z»Ý­n«Ø¥ß¤@¨Ç NAT ³W«h¡M¨Ó§i¶D®Ö¤ß­þ¨Ç³s½u­n§ïÅÜ¡M¦P®É¦p¦ó¥h§ïÅÜ¥¦­Ì¡C­n°µ¨ì³oÂI¡M§Ú­Ì»Ý­n¤@­Ó«D±`¦h¥Î³ ªº iptables ¤u¨ã¡M¦P®É«ü©w `-t nat' ¿ï¶µ§i¶D¥¦¥h­×§ï NAT ªí®æ¡C

NAT ³W«hªºªí®æ§t¦³¤T­Ó¦Cªí¥s°µ`chains' ¡R¨C¤@±ø³W«h³£«ö¶¶§ÇÀˬd¡Mª½¨ì§ä¨ì¤@­Ó¬Û²Åªº¤ñ¹ï¡C¸Ó¤T­ÓÃì´N¥s°µ PREROUTING (¹ï Destination NAT ¨Ó»¡¡M¦]¬°«Ê¥]­º¥ý¬O¶Ç¤Jªº)¡NPOSTROUTING (¹ï Source NAT ¨Ó»¡¡M¦]¬°«Ê¥]¬OÂ÷¶}ªº)¡N¥H¤Î OUTPUT (¹ï Destination NAT ¨Ó»¡¡M¬O«ü¨º¨Ç¥Ñ¥»¾÷²£¥Íªº«Ê¥])¡C

°²¦p§Ú°÷ÃÀ³N¤Ñ¥÷ªº¸Ü¡M¤U­±ªº¹Ï¥Ü±N·Ç½T¼ÒÀÀ¥X¤W­±©Ò»¡ªº·§©À¡C

      _____                                     _____
     /     \                                   /     \
   PREROUTING -->[Routing ]----------------->POSTROUTING----->
     \D-NAT/     [Decision]                    \S-NAT/
                     |                            ^
                     |                          __|__
                     |                         /     \
                     |                        | OUTPUT|
                     |                         \D-NAT/
                     |                            ^
                     |                            |
                     --------> Local Process ------

©ó«e­zªº¨C¤@ÂI¡M·í¤@­Ó«Ê¥]³q¹L§Ú­Ì­n¬d¬Ýªº¬ÛÃö³s½u¤§®É¡M¦pªG¥¦¬O¤@­Ó·s«Ø³s½u¡M§Ú­Ì¬d¬Ý¥¦¦b NAT ªí®æ¸Ì¹ïÀ³ªºÃì¡M¬Ý¬Ý¯à¹ï¤§°µ¨Ç¤°»ò°Ê§@¡C¦Ó¥Ñ¦¹Àò±oªºµª®×´NÀ³¥Î©ó¸Ó³s½u±N¨Óªº©Ò¦³«Ê¥]¡C

5.1 ¥Î iptables °µÂ²³æªº¿ï¾Ü

iptables ¨ã¦³¦p«á©Ò¦Cªº³\¦h¼Ð·Ç¿ï¶µ¡C©Ò¦³¨º¨Ç±aÂù´î¸¹ªº¿ï¶µ³£¬O¥i¥HÁY¼gªº¡M¥u­n iptables ¤´¥i±N¤§»P¨ä¥¦¥i¯àªº¿ï¶µ°Ï¤À¶}¨Ó´N¦æ¡C¦pªG±zªº®Ö¤ß¥H¼Ò²Õ§Î¦¡¨Ó¤ä´© iptables ¡M±z´N»Ý­n­º¥ý¸ü¤J ip_tables.o ¡R `insmod ip_tables'¡C

³o¸Ì¡M³Ì­«­nªº¤@­Ó¿ï¶µ¬Oªí®æ¿ï¾Ü¿ï¶µ¡R `-t' ¡C¹ï©ó©Ò¦³ªº NAT ¾Þ§@¡M±z·|·Q¥Î `-t nat' ¨Óªí¥Ü NAT ªí®æ¡C²Ä¤G­Ó­«­nªº¿ï¶µ¬O¥H `-A' ¼W¥[¤@±ø·s³W«h¦ÜÃ쪺¥½ºÝ (¦p¡R`-A POSTROUTING')¡M©Î¥H `-I' ´¡¤J¦Ü«eºÝ(¦p¡R`-I PREROUTING')¡C

±z¥i¥H«ü©w±z­n°µ NAT ªº«Ê¥]¨Ó·½¦a§} (`-s' ©Î `--source') »P¥Øªº¦a (`-d' or `--destination')¡C³o¨â­Ó¿ï¶µ«á­±¥i¥H«á±µ¤@­Ó³æ¤@ªº IP ¦a§} (¦p¡R192.168.1.1)¡M©Î¤@­Ó¦WºÙ (¦p¡R www.gnumonks.org)¡M©Î¤@­Óºô¸ô¦a§} (¦p¡R192.168.1.0/24 ©Î 192.168.1.0/255.255.255.0)¡C

±z¤]¥i¥H«ü©w­n¤ñ¹ïªº¶Ç¤J (`-i' ©Î `--in-interface') ©M¶Ç¥X (`-o' or `--out-interface') ¬É­±¡M¦ý­þ¤@­Ó¬É­±¥i¥H«ü©w«h¨ú¨M©ó±z­n±N³W«h¼g¤J­þ¤@­ÓÃì¥h¡R¹ï©ó PREROUTING ¡M±z¥i¥H¿ï¾Ü¶Ç¤J¬É­±¡M¦ý¹ï©ó POSTROUTING (¥H¤Î OUTPUT)¡M±z¥i¥H¿ï¾Ü¶Ç¥X¬É­±¡C¦pªG±z¤£¤p¤ß¥Î¿ù¤F¡M iptables ´N·|µ¹±z¤@­Ó¿ù» ¡C

5.2 Ãö©ó¬D¿ï­þ¨Ç«Ê¥]¨Ó mangle ªº²Ó¸`

§Ú«e­±¤w¸g»¡¹L¡M±z¥i¥H«ü©w¨Ó·½©M¥Øªº¦a¦a§}¡C¦pªG±z¬Ù²¤¨Ó·½¦a§}ªº¿ï¶µ¡M¨º»ò´Nªx«ü¥ô¦ó¨Ó·½¡C¦pªG±z¬Ù²¤¥Øªº¦a¦a§}¡M«hªx«ü©Ò¦³¥Øªº¦a¦a§}¡C

±zÁÙ¥i¥H«ü©w¤@­Ó¯S©w¨ó©w (`-p' or `--protocol')©O¡M¨Ò¦p TCP ©Î UDP¡R¥u¦³³o¨Ç¨ó©wªº«Ê¥]¤ ²Å¦X¸Ó³W«h¡C¨ä¥D­n­ì¦]¬O¡M«ü©w tcp ©Î udp ¨ó©w¥i¥H¤¹³\§ó¦h¿ï¶µ¡R¤×¨ä¬O `--source-port' »P `--destination-port' ¿ï¶µ (ÁY¼g¬° `--sport' »P `--dport' )¡C

³o¨Ç¿ï¶µ¥i¥HÅý±z«ü©w¥u¦³­þ¨Ç¯S©w¨Ó·½©M¥Øªº¦a°ð¤fªº«Ê¥]¤ ²Å¦X¸Ó³W«h¡C³o¦b±z­n­«¾É web ½Ð¨D (TCP port 80 ©Î 8080) ¦ý¤S©È¼vÅT¨ä¥¦«Ê¥]ªº®É­Ô¡M´N«Ü¦n¥Î¤F¡C

³o¨Ç¿ï¶µ¥²¶·±µ¦b `-p' ¿ï¶µªº«á­±(³o·|¦b¬°¸Ó¨ó©w¸ü¤J¦@¨É¨ç¦¡®w®É¦³°Æ§@¥Î)¡C±z¥i¥H¨Ï¥Î°ð¤f¸¹½X¡M©ÎªÌ¬O¦b /etc/services Àɤ¤ªº¦WºÙ¡C

©Ò¦³³o¨Ç±z¯à¿ï¾Üªº«Ê¥]¤§¤£¦P« ½è¡M³£¸Ô²Ó¦C¦b¨º­Ó¸Ô²Ó±o¦³ÂI®£©Æªº manual page ¤¤¤F(man iptables)¡C

Next Previous Contents