NAT: How To Mangle The Packets
来源:互联网 发布:数码修复软件 编辑:程序博客网 时间:2024/05/12 06:08
6. Saying How To Mangle The Packets
So now we know how to select the packets we want to mangle. Tocomplete our rule, we need to tell the kernel exactly what we want itto do to the packets.
6.1 Source NAT
You want to do Source NAT; change the source address of connectionsto something different. This is done in the POSTROUTING chain, justbefore it is finally sent out; this is an important detail, since itmeans that anything else on the Linux box itself (routing, packetfiltering) will see the packet unchanged. It also means that the `-o'(outgoing interface) option can be used.
Source NAT is specified using `-j SNAT', and the `--to-source'option specifies an IP address, a range of IP addresses, and anoptional port or range of ports (for UDP and TCP protocols only).
## Change source addresses to 1.2.3.4.# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6## Change source addresses to 1.2.3.4, ports 1-1023# iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023
Masquerading
There is a specialized case of Source NAT called masquerading: itshould only be used for dynamically-assigned IP addresses, such asstandard dialups (for static IP addresses, use SNAT above).
You don't need to put in the source address explicitly withmasquerading: it will use the source address of the interface thepacket is going out from. But more importantly, if the link goesdown, the connections (which are now lost anyway) are forgotten,meaning fewer glitches when connection comes back up with a new IPaddress.
## Masquerade everything out ppp0.# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
6.2 Destination NAT
This is done in the PREROUTING chain, just as the packet comes in;this means that anything else on the Linux box itself (routing, packetfiltering) will see the packet going to its `real' destination. Italso means that the `-i' (incoming interface) option can be used.
Destination NAT is specified using `-j DNAT', and the`--to-destination' option specifies an IP address, a range of IPaddresses, and an optional port or range of ports (for UDP and TCPprotocols only).
## Change destination addresses to 5.6.7.8# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10## Change destination addresses of web traffic to 5.6.7.8, port 8080.# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \ -j DNAT --to 5.6.7.8:8080
Redirection
There is a specialized case of Destination NAT called redirection:it is a simple convenience which is exactly equivalent to doing DNATto the address of the incoming interface.
## Send incoming port-80 web traffic to our squid (transparent) proxy# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ -j REDIRECT --to-port 3128
Note that squid needs to be configured to know it's a transparent proxy!
basing on Linux kernel 2.4.
directly from: http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html
- NAT: How To Mangle The Packets
- mangle nat filter
- Android-x86_64 - iptables -L - filter - nat - mangle
- How to setup do1q packets using wireshark on windows.
- How to receive a million packets per second
- mangle
- basic driver to send/recv raw packets on the network
- How To Capture Data Packets On A Network Using Wireshark (a. k. a. Ethereal)
- How to Recover Lost Media Packets in WebRTC using Forward Error Correction
- How to be the rich?
- How to see the world?
- How to change the dbo
- How to install the wine
- How to execute the jar
- How to load the treeview
- How to use the CAknWaitDialog
- How to install the Siege
- How to configure the log4net
- sqoop
- 跟我一起写 Makefile
- Android 隐藏API
- 进程线程同步
- TCP/IP网络协议之DHCP简介
- NAT: How To Mangle The Packets
- 正向代理和反向代理的区别
- imread函数、namedWindow函数、imshow函数、imwrite函数
- UICollectionView-Flowlayout
- eclipse 和 android studio 快捷键对比收藏了
- 机器学习的十三套框架
- Android开发问题记录(二)——Eclipse不显示Android SDK&AVD Manager
- jquery 检测当前登陆浏览器
- sizeof,strlen 使用总结