Static stateless 2-way NAT on Linux with iptables application instance, statelessiptables

Static stateless 2-way NAT on Linux with iptables application instance, statelessiptables
In the past few days, I completed a static stateless 2-way NAT and wrote several articles, but focused on theoretical analysis. This article shows an application instance. Before presenting an instance, let's talk about the difference between a static stateless 2-way NAT and a Linux native conntrack NAT. static stateless 2-way NAT does not limit the number of connections, because it does not need to maintain the connection status, there is no limit to the maximum value. Secondly, if the static stateless 2-way NAT algorithm is better, it will be more efficient. On those days of traveling in Changchun, Harbin, I once thought, can I use this stateless method to implement a NAPT? It was difficult later, because at the TCP/IP protocol level, the 5-tuples in a specific connection cannot be changed (UDP depends on the situation ), this requires NAPT to identify a connection when completing the uniqueness ing of 5-tuples. This is no longer stateless, but stateful. An example can illustrate this situation, assuming that the 5-tuples of packet A connecting to a are mapped to {sip-1, dip-1, tcp, sport-1, dport-1}, the connection is closed afterwards, the problem is, what if a TCP connection with the same 5-tuples has arrived after a long time? The solution to this problem is to maintain a timer for an entry, so it is better to directly use conntrack NAT ....
First, a simple topology is provided:
<Client> eth0: 192.168.10.1
|
|
Eth0: 192.168.10.254
<FWD> [nat box]
Eth1: 192.168.184.254
|
|
Eth0: 192.168.184.1
<FWD>
Eth1: 192.168.1.1
|
|
<Server> eth0: 192.168.1.8
In the above simple topology, I hope that the client can pull the web page on 1.2.1.2, while 1.2.1.2 is mapped to the server. In addition, the port is mapped from 12345 to 80. This ing is completely stateless and completed with my static stateless 2-way NAT.
Before I complete the iptables interface, I used the procfs file system interface. At that time, dev was not supported. The command is as follows:
Echo '+ 1.2.1.2 192.168.1.8 dst tcp port-map 12345 80'>/proc/net/static_nat
Echo '+ 192.168.184.250 192.168.184.154 src tcp'>/proc/net/static_nat
Later, with the more convenient iptables interface, things changed. I can use the familiar iptables command to configure the rules. I still configure the rules in the nat table:
Root @ abcd :~ # Iptables-save
# Generated by iptables-save v1.4.21 on Sun Dec 28 03:23:22 2014
* Nat
: Prerouting accept [0: 0]
: Postrouting accept [0: 0]
: Output accept [1484: 204554]
-A prerouting-j STATIC-2-WAY-NAT -- mapaddr 192.168.184.250-192.168.184.154 -- type src -- proto all -- mapport 0-0 -- dev eth1
-A postrouting-j STATIC-2-WAY-NAT -- mapaddr 1.2.1.2-192.168.1.8 -- type dst -- proto tcp -- mapport 12345-80 -- dev eth0
COMMIT
# Completed on Sun Dec 28 03:23:22 2014
Root @ abcd :~ #
In addition to configuration, I keep a statistical information to see how many packets and how many bytes have gone through NAT. You can view the statistics as follows:
Root @ abcd :~ # Cat/proc/net/static_nat Source trans table:
From: 192.168.184.250 To: 192.168.184.154 [all static] [eth1] [Bytes: 1080 Packet: 23]
From: 192.168.1.8 To: 1.2.1.2 [tcp auto] Port map [From: 80 To: 12345] [eth0] [Bytes: 124 Packet: 3]

Destination trans table:
From: 1.2.1.2 To: 192.168.1.8 [tcp static] Port map [From: 12345 To: 80] [eth0] [Bytes: 180 Packet: 4]
From: 192.168.184.154 To: 192.168.184.250 [all auto] [eth1] [Bytes: 5348 Packet: 90]
Root @ abcd :~ #
The granularity of statistics display is very important. Of course, it would be nice if we could show which packets have gone through NAT and print the super details of the packets, however, this will cause a lot of time and space losses, so you can only choose between them.