A few days ago, I completed a static stateless 2-way NAT, wrote a few articles, but focused on theoretical analysis, this article to show an application example. Before specifying the instance, the difference between a static stateless 2-way Nat and Linux native Conntrack Nat is stated, and static stateless 2-way NAT does not limit the number of connections because it does not maintain the connection state. There is no limit to the maximum value, and secondly, if the static stateless 2-way NAT algorithm is better, it will be more efficient. In Harbin Changchun Travel those days, I have thought, can use this stateless way realizes a napt? It later found it difficult, because at the TCP/IP level, a 5-tuple in a particular connection could not change (the UDP protocol depends on the situation), which requires NAPT to identify a connection when completing the 5-tuple uniqueness mapping, which is no longer stateless, Instead of stateful, an example would illustrate the situation, assuming that the 5-tuple of packet A of connection A is mapped to {sip-1,dip-1,tcp,sport-1,dport-1}, and then the connection is broken. The question is, what happens if a TCP connection with the same 5-tuple comes in a long time? The solution to this problem is to maintain a timer for a entry, so ... It's better to use Conntrack nat directly ....
First, a simple topology diagram is given:
<client>eth0:192.168.10.1
|
|
eth0:192.168.10.254
<fwd>[nat BOX]
eth1:192.168.184.254
|
|
eth0:192.168.184.1
<FWD>
eth1:192.168.1.1
|
|
<server>eth0:192.168.1.8
In the simple topology above, I hope that the client can pull the page on 1.2.1.2, while 1.2.1.2 is mapped to the server, and the port is mapped from 12345 to 80. This mapping is completely stateless and is done with my static stateless 2-way nat.
Before I did the Iptables interface, I used the Procfs file system interface, which was not supported by Dev at that time, and the command was as follows:
Echo ' +1.2.1.2 192.168.1.8 DST tcp port-map 12345 ' >/proc/net/static_nat
Echo ' +192.168.184.250 192.168.184.154 src TCP ' >/proc/net/static_nat
Later there is a more convenient iptables interface, things have changed, I can use the familiar iptables command to configure, still in the NAT table configuration rules:
[Email protected]:~# iptables-save
# Generated by Iptables-save v1.4.21 on Sun Dec 28 03:23:22 2014
*nat
:P rerouting ACCEPT [0:0]
:P ostrouting ACCEPT [0:0]
: OUTPUT ACCEPT [1484:204,554]
-A prerouting-j static-2-way-nat--mapaddr 192.168.184.250-192.168.184.154--type src--proto all--mapport 0-0--dev ETH 1
-A postrouting-j static-2-way-nat--mapaddr 1.2.1.2-192.168.1.8--type DST--proto tcp--mapport 12345-80--dev eth0
COMMIT
# completed on Sun Dec 28 03:23:22 2014
[Email protected]:~#
In addition to being able to complete the configuration, I kept a statistic that showed how many packets and how many bytes went through NAT. The statistics are viewed in the following ways:
[Email protected]:~# cat/proc/net/static_nat Source trans table:
from:192.168.184.250 to:192.168.184.154 [All STATIC] [eth1] [bytes:1080 packet:23]
from:192.168.1.8 to:1.2.1.2 [TCP AUTO] Port map[from:80 to:12345] [eth0] [bytes:124 Packet:3]
Destination Trans Table:
from:1.2.1.2 to:192.168.1.8 [TCP STATIC] Port map[from:12345 to:80] [eth0] [bytes:180 Packet:4]
from:192.168.184.154 to:192.168.184.250 [All AUTO] [eth1] [bytes:5348 packet:90]
[Email protected]:~#
It is important to show the granularity of the statistics, of course, if you can indicate which packets have gone through NAT and can print the super details of the packet, it is better, but that will lose a lot of time and space, so can only choose.
Static stateless 2-way NAT on Linux with Iptables application example