Next Previous Contents

6. ½Í½Í­n«ç¼Ë Mangle «Ê¥]

²{¦b¡M§Ú­Ìª¾¹D¦p¦ó¥h¬D¿ï¨º¨Ç§Ú­Ì­n mangle ªº«Ê¥]¡C¬°¤F­n§¹µ½§Ú­Ìªº³W«h¡M§Ú­Ì»Ý­n·Ç½TµL» ªº§i¶D®Ö¤ß¡M¤°»ò¤ ¬O§Ú­Ì­n¹ï«Ê¥]°µªº¡C

6.1 Source NAT

±z·Q­n°µ Source NAT¡M¬O­n¥h±N³s½uªº¨Ó·½¦a§}´«¦¨§Oªº¤°»òªº¡C³o´N­n¦b¥¦³Ì«á­n°e¥X¥h¤§«e¡M©ó POSTROUTING Ã줤§¹¦¨¤F¡Q³o¬O¤@­Ó«D±`­«­nªº²Ó¸`¡M¦]¬°¥¦·N¨ýµÛ©Ò¦³¦b Linux ¥D¾÷¥»¨­¤Wªº¨ä¥¦ªF¦è (routing, packet filtering) ³£¥u¬Ý¨£¨º­ÓÁÙ¨S§ïÅܪº«Ê¥]¡C¦P®É¡M³o¤]´N¬O»¡¡M`-o' (¶Ç¥X¬É­±) ¿ï¶µ¥i¥H¬£¤W¥Î³õ¤F¡C

Source NAT ¬O¥Î `-j SNAT' ¨Ó«ü©wªº¡M¦P®É¡M `--to source' «h«ü©w¤@­Ó IP ¦a§}¡N©Î¤@¬q IP ¦a§}¡N¥H¤Î¤@­Ó¥i°t¿ïªº°ð¤f©Î¤@¬q­È°ìªº°ð¤f(¶È¾A¥Î©ó UDP ©M TCP ¨ó©w)¡C

## Change source addresses to 1.2.3.4.
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6

## Change source addresses to 1.2.3.4, ports 1-1023
# iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023

«Ê¥]°°¸Ë (Masquerading)

¦³¤@­Ó Source NAT ¤§¯S¨Ò¡M¥s°µ«Ê¥]°°¸Ë¡R¥¦¥u¥Î©ó°ÊºA¤À°tªº IP ¦a§}¡M¨Ò¦p¼Ð·Çªº¼·±µ(¦pªG¥ÎÀRºA IP ¦a§}¡M«h¨Ï¥Î«e­z¤§ SNAT)¡C

±zµL»Ý©ú½T¦a±N masquerading ©ñ¶i¨Ó·½¦a§}¨º¸Ì¥h¡R¥¦±N·|¨Ï¥Î«Ê¥]¶Ç¥X¬É­±§@¬°¨Ó·½¦a§}¡C¦ý§ó­«­nªº¬O¡M¦pªG¸Ó³s±µ(link)Â_±¼ªº¸Ü¡M¨º»ò³s½u (connections¡MµL¥iÁקKªº±N¥¢±¼) ¤]·|³Q§Ñ±¼¡M·í³s½u¥Î·sªº IP ¦a§}¦^¨Óªº®É­Ô´N·|¦³°ÝÃD¤F¡C

## Masquerade everything out ppp0.
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

6.2 Destination NAT

¤@¥¹«Ê¥]¶i¤J¡M·|¥Ñ PREROUTING Ã짹¦¨³B²z¡Q¤]´N¬O»¡¡M°£¤F¸Ó¥D¾÷¦Û¤vªº¨ä¥¦ªF¦è(½Ñ¦p¡R¸ô¥Ñ¡N«Ê¥]¹LÂo) ³£±N«Ê¥]¬Ý¦¨­n°e¨ì `¯u¥¿' ¥Øªº¦a¡C¥t¥ ¡M¨º­Ó `-i' (¶Ç¤J¬É­±) ¿ï¶µ¤]¥i¥H¦b³o¸Ì¨Ï¥Î¡C

»Ý­n­×§ï¥»¾÷²£¥Íªº«Ê¥]¤§¥Øªº¦aªº¸Ü¡M¨º»ò OUTPUT Ãì´N¥i¥H¥Î¤W¤F¡M¤£¹L³o¨Ã¤£±`¸I¨ì¡C

Destination NAT ¥²¶·¥H `-j DNAT' ¨Ó«ü©w¨Ï¥Î¡M¦P®É¥Î `--to destination' ¿ï¶µ«ü©w¤@­Ó IP ¦a§}¡N©Î¤@¬q IP ¦a§}¡M¥H¤Î¥i¥H°t¿ï¤@­Ó°ð¤f©Î¤@¬q°ð¤f­È°ì(¥u¯à¥Î©ó UDP ©M TCP ¨ó©w¤W­±)¡C

## Change destination addresses to 5.6.7.8
# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8

## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8-5.6.7.10

## Change destination addresses of web traffic to 5.6.7.8, port 8080.
# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 \
        -j DNAT --to 5.6.7.8:8080

## Redirect local packets to 1.2.3.4 to loopback.
# iptables -t nat -A OUTPUT -d 1.2.3.4 -j DNAT --to 127.0.0.1

­«¾É¦V (Redirection)

¦b Destination NAT ¦³¤@­Ó¯S§Oªº±¡§Î¡R¥¦¬O¤@­Ó²³æªº«K§Q¡M§¹¥þµ¥¦P©óµ¹¶Ç¤J¬É­±¦a§}°µ DNAT ¤@¼Ë¡C

## Send incoming port-80 web traffic to our squid (transparent) proxy
# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
        -j REDIRECT --to-port 3128

6.3 ¶i¤@¨Bªº¬M¹ï(Mappings)

ÁÙ¦³³\¦h NAT ¤W­±ªº¸Ñ¨M¤è®×¬O¤j¦h¼Æ¤HµL»Ý¥Î¨ìªº¡C³o¸Ì¤£§«©M¨º¨Ç¦³¿³½ìªºªB¤Í±´°Q¤@¤U¡R

¦P¤@½d³ò¤ºªº½Æ¦X¦a§}(Multiple Addresses)¤§¿ï¾Ü¡C

¦pªG±z¤w¸g«ü©w¤F¤@¬q IP ¦a§}¡M ¦Ó IP ¦a§}ªº¨Ï¥Î¿ï¾Ü¬O°ò©ó¾÷¾¹©Òª¾³s½u¥Ø«e³Ì¤Ö¨Ï¥Î¤§ IP¡C¥¦¥i¥H´£¨Ñ³Ì­ì©lªº¥­¿Å­t¸ü(load-balancing)¡C

«Ø¥ßªÅ NAT ¬M¹ï

±z¥i¥H¨Ï¥Î `-j ACCEPT' ¥Ø¼Ð¨ÓÅý¤@­Ó³s½u³q¹L¡M¦Ó¶¹L NAT ªº³B²z¡C

¼Ð·Çªº NAT ¦æ¬°(Behaviour)

¹w³]ªº¦æ¬°¬O¦b¨Ï¥ÎªÌ¨î©wªº³W«h­­¨î¤º¡MºÉ¥i¯à¤Öªº§ïÅܳs½u¡C´«¦Ó¨¥¤§¡M«D¤£±o¤w¤£­n­«¬M¹ï(remap)°ð¤f¡C

µ´¹ï¨Ó·½°ð¤f¬M¹ï

¦pªG¨ä¥¦³s½u¤w¸g³Q¬M¹ï¨ì·sªº³s½u¡M´Nºâ¹ï©ó¤@­ÓµL»Ý NAT ªº³s½u¨Ó»¡¡M¨Ó·½°ð¤fªºÂà´«¦³®É©Î¬O¥²¶·µ´¹ï¦s¦bªº¡CÅý§Ú­Ì°²³]¤@­Ó«Ê¥]°°¸Ëªº±¡§Î¡M³o¤w¸g«D±`´¶¹M¤F¡R

  1. ¤@­Óºô­¶³s½u¥Ñ¤@¥x 192.1.1.1 ªº¾÷¾¹±q port 1024 «Ø¥ß¡M­n³s±µ¨ìwww.netscape.com port 80¡C
  2. ¥¦³Q«Ê¥]°°¸Ë¥D¾÷¥H¨ä¦Û¤vªº IP ¦a§}(1.2.3.4)¶i¦æ°°¸Ë¡C
  3. ¸Ó«Ê¥]°°¸Ë¥D¾÷¹Á¸Õ¥Ñ 1.2.3.4 (¥¦ªº¥ ³¡¬É­±¦a§}) port 1024 ¨Ó°µ¤@­Óºô­¶³s½u¦Üwww.netscape.com port 80¡C
  4. µM«á NAT µ{¦¡§ïÅܲĤG­Ó³s½uªº¨Ó·½°ð¤f¬° 1025¡M©Ò¥H³o¨â­Ó³s½u¤£¦Ü©ó¬Û½Ä(clash)¡C

·í³o­Óµ´¹ï¨Ó·½¬M¹ï¦s¦b¤§®É¡M°ð¤f³Q©î¤À¬°¤T­Óµ¥¯Å¡R

¥ô¦ó¤@­Ó°ð¤f³£¤£·|³Qµ´¹ï¬M¹ï¨ì¤£¦Pªºµ¥¯Å¥h¡C

·í NAT ¥¢®Ä®É·|«ç¼Ë¡S

¦pªG¨S¦³¿ìªk¦p¥Î¤á­n¨D¨º¼Ë¿W¤@µL¤G¦a¬M¹ï³s½u¡M¨º»ò³s½u´N·|³Q¾×±¼¡C·í¤@­Ó«Ê¥]¤£¯à°÷¬É©w¬°¥ô¦ó³s½uªº®É­Ô¡Mµ²ªG¤]¤@¼Ë¡M¦]¬°¥¦­Ì¥iºâ¬O·î§Îªº¡M©ÎªÌ¬O¸Ó¾÷¾¹°O¾ÐÅé¯Ó¥ú¤F¡M½Ñ¦p¦¹Ãþ¡C

½Æ¦X¬M¹ï¡N­«Å|¡N©M¬Û½Ä(clash)

±z¥i¥H³]©w NAT ³W«h¦b¦P¤@­Ó½d³ò¤§¤W¬M¹ï«Ê¥]¡QNAT µ{¦¡¨¬¥HÁo©úªº¥hÁקK¬Û½Ä¡C¤ñ¤è»¡¡M¥Î¨â±ø³W«h±N 192.168.1.1 ©M 192.168.1.2 ³o¨â­Ó¨Ó·½¦a§}¤À§O¬M¹ï¨ì 1.2.3.4¡M¬O§¹¥þ¥i¦æªº¡C

¦A¨Ó¡M±z¥i¥H¬M¹ï¨ì¯u¹êªº¡N¤w¥Îªº IP ¦a§}¡M¥u­n³o¨Ç¦a§}³q¹L³o­Ó¬M¹ï¥D¾÷´N¦æ¡C©Ò¥H¡M¦pªG±zÀò±o¤@­Óºô¸ô(1.2.3.0/24)¡M¦ý¦³¤@­Ó¤º³¡ºô¸ô¨Ï¥Î³o¨Ç¦a§}¡M¦Ó¥t¤@­Ó¨Ï¥Î¨p¦³¦a§} 192.168.1.0/24 ¡M±z´N¥i¥H NAT ¨º¨Ç 192.168.1.0/24 ªº¨Ó·½¦a§}¨ì 1.2.3.0 ºô¸ô¤§¤W¡M¦ÓµL»Ý¾á¤ß¬Û½Ä¡R 

# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \
        -j SNAT --to 1.2.3.0/24

³o¦P¼Ë¾A¥Î©ó¨º¨Ç NAT ¥D¾÷¦Û¤v¨Ï¥Îªº¦a§}¡R³o¨ä¹ê´N¬O«Ê¥]°°¸Ë¦p¦ó¤u§@ªº¤F(¤À¨É°°¸Ë«Ê¥]¦a§}©M¨Ó¦Û¥D¾÷¥»¨­«Ê¥]¤§ `¯u¹ê' ¦a§}¡C )

§ó¬ÆªÌ¡M±zÁÙ¥i¥H¬M¹ï¬Û¦Pªº«Ê¥]¨ì³\¦h¤£¦Pªº¥Ø¼Ð(targets)¤W¥h¡M¦Ó¥B¥¦­Ì³£¬O¦@¨Éªº¡C¨Ò¦p¡M¦pªG±z¤£·Q¬M¹ï¥ô¦óªF¦è¨ì 1.2.3.5 ¤W¥h¡M±z¥i¥H³o¼Ë°µ¡R

# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \
        -j SNAT --to 1.2.3.0-1.2.3.4 --to 1.2.3.6-1.2.3.254

§ïÅÜ¥»¾÷²£¥Íªº³s½u¤§¥Øªº¦a

¦pªG¥»¾÷²£¥Íªº«Ê¥]¤§¥Øªº¦a§ïÅܤF(¨Ò¦p¡M¥Î OUTPUT Ãì)¡M¦Ó³o¼Ë·|¾É­P«Ê¥]¥Ñ¤£¦Pªº¬É­±°e¥X¥h¡M³o¼Ë¨Ó·½¦a§}¤]¸òµÛÅܬ°¨º­Ó¬É­±¡CÁ|¨Ò¤l»¡¡M§ïÅܤ@­ÓÀô°j(loopback)«Ê¥]¤§¥Øªº¦a¥Ñ eth0 °e¥X¡M·|Åý¨Ó·½¦a§}¤]¥Ñ 127.0.0.1 Åܦ¨ eth0 ªº¦a§}¡Q¦Ó¤£¹³¨ä¥¦¨Ó·½¦a§}¬M¹ï¨º¼Ë¡M³o¬O¥ß§Y§¹¦¨ªº¡C·íµM¡M©Ò¦³³o¨Ç¬M¹ï¦b¦^À³«Ê¥]¶i¤J®É¬OÄA­Ë¹L¨Óªº¡C

Next Previous Contents