Small c to learn Linux (33)--NAT network address translation of iptables

Others 2022-04-27 17:13:44 views: 0

Reference: http://www.hillstonenet.com/support/5.0/cn/xd4xdaxcfxdfxb0xefxd6xfa.htm#config_nat_intro.html

Introduction to Network Address Translation (NAT)

Network Address Translation, or NAT for short, is a protocol that converts an IP address in an IP packet header into another IP address. When the IP data packet passes through the router or the security gateway, the router or the security gateway translates the source IP address and/or the destination IP address of the IP data packet. In practical applications, NAT is mainly used when a private network accesses an external network or an external network accesses a private network. NAT has the following advantages:

  • By using a small number of public IP addresses to represent the majority of private IP addresses, the rate at which the available IP address space is depleted is mitigated.
  • NAT can hide the private network and achieve the purpose of protecting the private network.

Private networks generally use private addresses. The three types of private addresses specified in RFC1918 are as follows:

  • Class A: 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
  • Class B: 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
  • Class C: 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)

The IP addresses in the above three ranges will not be allocated on the Internet, so they can be freely used within a company or enterprise without applying to an ISP (Internet Service Provider) or a registration center.

The basic translation process of NAT

When the security gateway performs the NAT function, it is at the connection between the public network and the private network. The following figure describes the basic translation process of NAT:

write picture description here

As shown in the figure above, the security gateway is at the junction of the private network and the public network. When the internal PC (10.1.1.2) sends an IP packet 1 to the external server (202.1.1.2), the IP packet will go through the security gateway. The security gateway checks the content of the packet header and finds that the IP packet is destined for the public network, then it replaces the source address 10.1.1.2 of the IP packet 1 with a public address 202.1.1.1 that can be routed on the Internet, and sends the IP packet sent to the external server, and at the same time, the security gateway also records this mapping in the network address translation table. The external server sends the response packet 2 of IP packet 1 (its initial destination address is 202.1.1.1) to the internal PC. After reaching the security gateway, the security gateway checks the content of the packet header again, and then searches the current network address translation table. Replace the destination address with the private address of 10.1.1.2. During this process, the security gateway is transparent to the PC and Server. For the external server, it thinks that the address of the internal PC is 202.1.1.1, and does not know the address of 10.1.1.2. Thus, NAT "hides" the enterprise's private network.

Add address translation functionality using iptables

iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 202.1.1.1

NAT function of the security gateway

The NAT function of the security gateway replaces the IP address and port of the internal network host with the address and port of the external network of the security gateway, and translates the external network address and port of the security gateway to the IP address and port of the internal network host. That is, the conversion between "private address + port" and "public address + port".

The security gateway implements the NAT function by creating and executing NAT rules. There are two types of NAT rules, namely source NAT rules (SNAT Rule) and destination NAT rules (DNAT Rule). SNAT converts the source IP address to hide internal IP addresses or share limited IP addresses; DNAT converts the destination IP address, usually converting the IP address of an internal server (such as a WWW server or SMTP server) protected by a security gateway into a public IP address address.

Source address translation: ANAT –to-source SIP, added to the POSTROUTING chain
Destination address translation: DNAT –to-destination DIP[:PORT], support port, added to the PRETOUTING chain

write picture description here

For example, my web server is 192.168.21.12 and the port number is 8080,
then the destination address translation

iptables -t nat -A PREROUTING -d 172.16.100.7 -p tcp --dport 22022 -j DNAT --to-destination 192.168.20.12:8080

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325730536&siteId=291194637
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com