我尝试过几种不同的方法。目前正在 freebsd 8.2 上尝试使用 pf
我正在尝试将 nat 解决方案插入到现有网络中,该解决方案会将流量从外部 IP 地址重定向到所有端口上的内部 IP 地址(静态 nat),但我也想转换源地址。
当前网络。
hosta
192.168.1.2/24
gw
192.168.1.1/24
outsidehost
10.0.0.1/24
natbox
em0 192.168.1.3/24 (used to manage the box)
em1 10.0.0.2/24 (outside address same lan as outsidehost)
em0_alias0 192.168.1.4/24 (inside address same lan as hosta)
route 192.168.1.0/24 192.168.1.1
route 0.0.0.0 0.0.0.0 10.0.0.1
我希望 externalhost 能够通过 telneting(sp) 到 10.0.0.2 来 telnet 到 192.168.1.3
为此,我假设我必须在数据包离开 em0 时更改数据包的来源,否则它将在返回 em1 的途中丢失。
所以流程是这样的:
- 从外部主机 telnet 10.0.0.2
- 将源地址更改为192.168.1.4
- 将 10.0.0.2 的流量重定向到 192.168.1.2
- 数据包以 src 192.168.1.4 离开,转到 192.168.1.2,然后发送回 192.168.1.4,在本例中转换回源 addy 的值 10.0.0.1
我一直认为这可以做到
binat 和 rdr 但我无法弄清楚语法。
我怎样才能完成这件事?
答案1
我最终在 Linux 下使用 iptables 来完成这个任务。
为此,需要开启IP转发:
echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
并设定以下规则:
iptables -F -t nat
# flush the NAT Table.
iptables -t nat -P INPUT DROP
# set the input chain on the NAT table to DROP by default.
# This way any traffic not allowed by defining a source address gets dropped.
# If you don't provide a -s address below it will allow all hosts from anywhere
# to reach the inside address via the outside ip.
iptables -t nat -A PREROUTING -s 10.0.0.1 -d 10.0.0.2 \
-j DNAT --destination-address 192.168.1.3
# define the source and destination of the traffic allowed through.
# Change the dest address to our inside host.
iptable -t nat -A INPUT -s 192.168.0.0/24 -J ALLOW
# Drop all traffic on sourcing from inside subnet.
# This won't apply to traffic that matches the rule above
# as the source address will change in the next rule.
iptables -t nat -A POSTROUTING -d 192.168.1.3 \
-j SNAT --source-address 192.168.1.4
# here is the insert magic. Change the source address of any traffic destined
# for our inside host to our vip or owned inside address.
# This way the traffic is routed back to us at the FW.