The Cisco router explicitly states the concept of inside and outside on physical interfaces, and then defines Nat rules based on the direction of the data stream. After Nat is enabled, there will be a two-direction Nat ing table in the system. How to fill the table items in this table depends on whether Nat is static or dynamic. If it is static, the two ing tables are filled after the configuration is complete. If it is dynamic, the table items are filled when the data packet matches the access-list for the first time. The NAT configuration of Cisco is as follows:
Source Address Translation when the Intranet goes out:
Ip nat inside source (dynamic, static)/ip nat inside destination (static)
Destination Address Translation when the Intranet goes out:
Ip nat inside destination (dynamic, static)/ip nat outside source (static)
Destination Address Translation from the Internet to the Intranet:
Ip nat outside destination
2. Linux Solution
Linux internally defines the five hook points required for data packets. The Linux interface is only a match, and Nat is fully configured based on logic fields, it has nothing to do with physical interfaces. In Linux, there is no global NAT ing table similar to Cisco. in Linux, the NAT table is only a target, which works for all data packets that match, the protocol stack does not query the NAT table for each packet to obtain the NAT information. The NAT configuration in Linux is as follows:
Destination Address Translation for Intranet egress:
Iptables-T Nat-A postrouting $ matches-o $ outside-j snat -- to-Source
Destination Address Translation for Intranet egress:
Iptables-T Nat-A prerouting $ matches-I $ inside-J DNAT -- to-destination
Destination Address Translation from the Internet to the Intranet:
Iptables-T Nat-A prerouting $ matches-I $ outside-J DNAT -- to-destination
3. Comparison
The above analysis shows that Linux Nat is an action for matches in the specific direction of the data packet's kernel path, matches is required (even if it is empty ), cisco Nat acts on data in different inbound and outbound directions. Matches is extracted independently as an access-list for dynamic Nat only.
For Linux implementation, because the IP address itself is a match, there is no way to directly use an iptables rule to implement static Nat similar to Cisco, both the match and target of iptables Nat involve the address itself. That is to say, the following logic is enforced: if some conditions are met, an action is executed! For Nat, only the converted addresses are executed. A clear match is required. Otherwise, all the packets that pass through the path are converted in the same way, currently, iptables does not support variables and does not support "and" or ". Therefore, it is far from Cisco's Nat flexibility.
For the implementation of Cisco, dynamic Nat is similar to the iptables Implementation of Linux, but the match is stripped out. The match here is access-list, and its action is a pool, this is consistent with the target of iptables. As for inside and outside, Cisco only defines the role for the interface, not the core. Cisco static Nat can be understood as the following logic: Please convert source address a to source address B, and reverse switch the target address from B to! This is a imperative sentence, not a Linux iptables condition sentence. Therefore, Cisco static Nat is valid in two directions. If it is inside source Nat, The ing takes effect immediately, therefore, destination Nat, which is equivalent to outside, is also added. For dynamic Nat of Cisco, the data initiation direction must be limited.
Finally, let's take a look at the NAT icons for Cisco and Linux:
A. Cisco NAT:
B. Linux NAT:
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
