● 9. Mixing NAT and Packet Filtering - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: georgehill (清风浮云人生), 信区: Linux
标  题: 9. Mixing NAT and Packet Filtering
发信站: BBS 荔园晨风站 (Thu Oct 12 07:26:52 2000), 站内信件

【以下文字转载自 georgehill 的信箱】
【原文由 georgehill.bbs@smth.org 所发表】
发信人: zixia (Do you zixia tonight), 信区: Linux
标  题: 9. Mixing NAT and Packet Filtering
发信站: BBS 水木清华站 (Wed Oct 11 01:18:28 2000) WWW-POST

   Next Previous Contents

     ----------------------------------------------------------------------

9. Mixing NAT and Packet Filtering
he

   It's common to want to do Network Address Translation (see the NAT HOWTO)
   and packet filtering. The good news is that they mix extremely well.

   You design your packet filtering completely ignoring any NAT you are
   doing. The sources and destinations seen by the packet filter will be the
   `real' sources and destinations. For example, if you are doing DNAT to
   send any connections to 1.2.3.4 port 80 through to 10.1.1.1 port 8080,
the
   packet filter would see packets going to 10.1.1.1 port 8080 (the real
   destination), not 1.2.3.4 port 80. Similarly, you can ignore
masquerading:
   packets will seem to come from their real internal IP addresses (say
   10.1.1.1), and replies will seem to go back there.

   You can use the `state' match extension without making the packet filter
   do any extra work, since NAT requires connection tracking anyway. To
   enhance the simple masquerading example in the NAT HOWTO to disallow any
   new connections from coming in the ppp0 interface, you would do this:

# Masquerade out ppp0                                                     s
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

n
# Disallow NEW and INVALID incoming or forwarded packets from ppp0.
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp0 0 -m state --state NEW,INVALID -j DROP

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

     ----------------------------------------------------------------------

   Next Previous Contents
--
        )))))))))))))))))))))))))))))))))))))))))))))))))))
        ((((((((((((生命的欢喜可以再影印一张吗?((((((((((((
        ))))))))))))老去的热情可以再拉皮整形吗?))))))))))))
        ((((((((((((病中的真理可以再传真校对吗?((((((((((((
        ))))))))))))死掉的爱情可以再输入键出吗?))))))))))))
        (((((((((((((((((((((((((((((((((((((((((((((((((((

※ 来源:·BBS 水木清华站 smth.org·[FROM: 202.112.45.49]
--
※ 转载:·BBS 荔园晨风站 bbs.szu.edu.cn·[FROM: 192.168.1.115]

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店