참조:http://forums.gentoo.org/viewtopic-t-826825-start-0.html
Full cone
#iptables -t nat -A POSTROUTING -o eth0 -p udp --sport {source port} -j SNAT --to-source {NAT public ip}
#iptables -t nat -A PREROUTING -i eth0 -p udp --dport {destination port} -j DNAT --to-destination {Client ip}
Symmetric
Masquerade 설정하면 됨
아래는 원문
I think the wikipedia page makes those distinctions a little clearer:
http://en.wikipedia.org/wiki/Network_address_translation#Types_of_NAT
I will be working on these definitions, which I take to be equivalent to yours.
I disagree with Pedro Gonçalves's rules. In the Full Cone NAT rules he provides, he doesn't match ports, and so it seems as though all traffic coming in on eth0 would be forwarded through to 10.0.0.1 and all traffic leaving eth0 would be SNAT sourced from 192.168.2.170, regardless of port. The specifications specifically mention a particular port.
I also expanded on Pedro Gonçalves's naming convention by adding interface names and host names:
Public, 192.168.2.170, $EXTIF, router.network
Private, 10.0.0.1, $INTIF, inner.network
Port is $P in all cases (although it wouldn't have to be).
The way I comprehend the question, a port number $P is given and must be a part of the rules.
I don't think these rules are perfect; I'm the least sure about the restricted cones. Nevertheless I think it will move you in the right direction.
Full cone NAT
this covers outgoing traffic which should be rewritten to appear to come from router.network:$P. 1 ea. for UDP, TCP
| Code: |
| iptables -t nat POSTROUTING -o $EXTIF -p tcp --sport $P -j SNAT --to-source 192.168.2.170 iptables -t nat POSTROUTING -o $EXTIF -p udp --sport $P -j SNAT --to-source 92.168.2.170 |
now we need the reverse direction, incoming traffic on $P is forwarded to 10.0.0.1
| Code: |
| iptables -t nat PREROUTING -i $EXTIF -p tcp --dport $P -j DNAT --to-destination 10.0.0.1 iptables -t nat PREROUTING -i $EXTIF -p udp --dport $P -j DNAT --to-destination 10.0.0.1 |
[Address] Restricted Cone Nat
Here we reject incoming packets that aren't already established. First we need the rules above. Then we need an INPUT rule that will match incoming connections on $EXTIF:$P
and accept only those which are connected already. Thus the connection must be instigated by inner.network.
| Code: |
# previous rules iptables -t nat POSTROUTING -o $EXTIF -p tcp --sport $P -j SNAT --to-source 192.168.2.170 iptables -t nat POSTROUTING -o $EXTIF -p udp --sport $P -j SNAT --to-source 92.168.2.170 iptables -t nat PREROUTING -i $EXTIF -p tcp --dport $P -j DNAT --to-destination 10.0.0.1 iptables -t nat PREROUTING -i $EXTIF -p udp --dport $P -j DNAT --to-destination 10.0.0.1 # FILTER rules to drop, rather than forward, new connections # we accept already established connections (These are only necessary if default policy is not ACCEPT) iptables -A INPUT -i $EXTIF -p tcp --dport $P -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $EXTIF -p udp --dport $P -m state --state ESTABLISHED,RELATED -j ACCEPT # now rules to drop the packets otherwise (only necessary if default policy is not DROP) iptables -A INPUT -i $EXTIF -p tcp --dport $P -m state --state NEW -j DROP iptables -A INPUT -i $EXTIF -p udp --dport $P -m state --state NEW -j DROP |
Port Restricted Cone Nat
This is the same as the above, except we also check the source port on the INPUT chain.
| Code: |
# previous rules iptables -t nat POSTROUTING -o $EXTIF -p tcp --sport $P -j SNAT --to-source 192.168.2.170 iptables -t nat POSTROUTING -o $EXTIF -p udp --sport $P -j SNAT --to-source 92.168.2.170 iptables -t nat PREROUTING -i $EXTIF -p tcp --dport $P -j DNAT --to-destination 10.0.0.1 iptables -t nat PREROUTING -i $EXTIF -p udp --dport $P -j DNAT --to-destination 10.0.0.1 # FILTER rules to drop, rather than forward, new connections # we accept already established connections (These are only necessary if default policy is not ACCEPT) iptables -A INPUT -i $EXTIF -p tcp --sport $P --dport $P -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $EXTIF -p udp --sport $P --dport $P -m state --state ESTABLISHED,RELATED -j ACCEPT # now rules to drop the packets otherwise (only necessary if default policy is not DROP) iptables -A INPUT -i $EXTIF -p tcp --dport $P -m state --state NEW -j DROP iptables -A INPUT -i $EXTIF -p udp --dport $P -m state --state NEW -j DROP |
Symmetric NAT
It seems that this could be called 'Full Nat' or 'Masquerading'. New connections are never forwarded through router.network to inner.network, but new connections are dynamically mapped to ports on $EXTIF. This is pretty complicated, but the iptables rule is very easy.
| Code: |
# no other rules are required for this. iptables -t nat -I POSTROUTING -s 10.0.0.1 -o $EXTIF -j MASQUERADE |
'develop > linux' 카테고리의 다른 글
| GNU C, __attribute__ (0) | 2014.10.14 |
|---|---|
| Linux C에서 키보드 이벤트 받기(kbhit()) (0) | 2014.02.28 |
| Linux TCP/IP tunning (0) | 2014.01.08 |
| Ubuntu에서 Oracle java 설치 (0) | 2013.12.31 |
| GCC에서 컴파일 시 문구 출력하기 (0) | 2013.04.18 |