Linux 2.4 NAT HOWTO §@ªÌ¡RRusty Russell, mailing list netfilter@lists.samba.org ĶªÌ¡Rºô¤¤¤H netmanforever@yahoo.com v1.0.1 Mon May 1 18:38:22 CST 2000 _________________________________________________________________ ¥»¤å¥ó´yz¦p¦ó¥Î 2.4 Linux ®Ö¤ß¥h°µ masquerading¡Ntransparent proxying ¡Nport forwarding¡N©M¨ä¥¦Ãþ«¬ªº Network Address Translations ¡C _________________________________________________________________ 1. Introduction 2. ©x¤èªººô¯¸©M³q«H½×¾Â¦ó³B³V¡S * 2.1 ¦ó¬° Network Address Translation? * 2.2 ¬°¤°»ò§Ún°µ NAT ©O¡S 3. ¨âºØÃþ«¬ªº NAT 4. ±q 2.0 ¨ì 2.2 ®Ö¤ßªº§Ö³tÂàÅÜ * 4.1 ±Ï©R°Ú¡T§Ú¥u·Qn«Ê¥]°°¸Ë¦Ó¤w¡T * 4.2 ¨º ipmasqadm «ç»ò¤F¡S 5. ±±¨îþ¨Çn NAT * 5.1 ¥Î iptables °µÂ²³æªº¿ï¾Ü * 5.2 Ãö©ó¬D¿ïþ¨Ç«Ê¥]¨Ó mangle ªº²Ó¸` 6. ½Í½Ín«ç¼Ë Mangle «Ê¥] * 6.1 Source NAT * 6.2 Destination NAT * 6.3 ¶i¤@¨Bªº¬M¹ï(Mappings) 7. ¯S®í¨ó©w 8. NAT ªº¤@¨Ç¨î (caveats) 9. Source NAT »P¸ô¥Ñ 10. ¦b¦P¤@ºô¸ô¤Wªº Destination NAT 11. ·PÁ _________________________________________________________________ 1. Introduction ¿Ë·RªºÅªªÌ¡MÅwªï±z¡T ±z±Nn±´¯Áªº¬O¤Þ¤H¤J³Ó(¦³®ÉÆZ®£©Æ)ªº NAT(Network Address Translation) ¥@¬É¡M¦P®É¡M±z¬Æ¦Ü¥i¥H§â³o¥÷ HOWTO ·í¦¨ Linux 2.4 ®Ö¤ß¤Î¥H«áª©¥»ªººë½T «ü«n©O¡C ¦b Linux 2.4 ¸Ì±¡M¦³¤@Ó¥s `netfilter' ªºªFªF¡M¥¦¬O±Mªù¼¹µõ (mangling* )«Ê¥]ªº¡C¦b¥¦¦A¤W¤@Ó¼h¯Å¡M´N¬O´£¨Ñ NAT ¥\¯àªº¤F¡M«h¬O§¹¥þ¥Ñ ¥H©¹ªº®Ö¤ß¹ê§@¦Ó¦¨ªº¡C (ĶªÌµù¡R«Ü©_©Ç¡Mì§@ªÌ¥Î mangle ³o¤@µü¡M¦ü¥G¦b¹L©¹ªº¤¤¤å¤å¥ó¤¤³£¨S¸I¨ì ¹L¡M¬d¹L¦n¦h¦r¨å³£¤£ª¾¹D«ç»ò½Ķ¦n¡C³o¸Ì¼È®É«j±j¥Î¡¥¼¹µõ¡¦³oÓµü¥N´À¡M ¤£¹L«á±§Ú´N¤£¹Á¸Õ½Ķ³oµü¤F¡MÅýŪªÌ¦Û¤v¥h²z¸Ñ§a¡C) 2. ©x¤èªººô¯¸©M³q«H½×¾Â¦ó³B³V¡S ¥Ø«e¦³¤TÓ©x¤èºô¯¸¥i¨ÑÂsÄý¡R * ·PÁ [1]Filewatcher (http://netfilter.filewatcher.org). * ·PÁ [2]The Samba Team and SGI (http://www.samba.org/netfilter). * ·PÁ [3]Jim Pick (http://netfilter.kernelnotes.org). ¦Ó©x¤èªº netfilter ¶l¥ó½×¾Â¡M«h¥i¥H¨ì³o¸Ì¬Ý¡R [4]Samba's Listserver (http://lists.samba.org). 2.1 ¦ó¬° Network Address Translation? ¤@¯ë¨Ó»¡¡M¦bºô¸ô¤W«Ê¥]±q¨ä¨Ó·½(¤ñ¤è±z®a¤¤ªº¹q¸£)¥X¥h¡MµM«á¨ì¹F¥Øªº¦a(¤ñ ¤èwww.kernelnotes.org)¡M·|¸g¹L³\³\¦h¦hÓ¤£¦Pªº³s±µ(links)¡R´N§Ú©Ò¦bªº¿D ¬w¨Ó»¡´N¤j¬ù¦³ 19 Ó¤§¦h¡C¨S¦³¥ô¦ó¤@Ó³s±µ·|¯uªº¥h§ó§ï±zªº«Ê¥]¡R¥LÌ¶È ¶È¬O±N¤§¶Ç°e¥X¥h¦Ó¤w¡C °²¦p¨ä¤¤¤@Ó³s±µ·|°µ NAT ªº¸Ü¡MµM«á¥¦Ì´N·|§ó§ï¨º¨Ç¸g¥¦¦Ó¹Lªº«Ê¥]¤§¨Ó·½ ©Î¥Øªº¦a¦a§}¡C¸Û¦p±z¯à·Q¹³±o¨ìªº¡M³o¨Ã«D¨t²Î³Q³]p¦¨³o¼Ëªº¡M¦Ó¬O NAT ©Ò °µªº¤â¸}¦Ó¤w¡C³q±`n°µ NAT ªº³s½u·|°O¦í¥¦¦p¦ó mangled «Ê¥]ªº¡MµM«á·í¦^ À³«Ê¥]±q¥t¤@¤è¦V¹L¨Óªº®ÉÔ¡MµM«á´N¤Ï¹L¨Ó mangling ¨ºÓ¦^À³«Ê¥]¡M©Ò¥H©Ò ¦³ªF¦è³£¤u§@°_¨Ó¤F¡C 2.2 ¬°¤°»ò§Ún°µ NAT ©O¡S ¦b§¹¬üªº¥@¬É¸Ì¡M±zµL»Ý³o¼Ë°µ°Õ¡C¦b¥Ø«e¨Ó»¡¡MÁÙ¬O¦³¨ä²z¥Ñªº¡R ¥Î modem ¼·±µ¤Wºô ¤j¦h¼Æªº ISP ¦b±z³s¤W¥hªº®ÉÔ¥u·|µ¹±z¤@Ó³æ¤@ IP ¦a§}¡C±z³ßÅwªº ¸Ü¡M¥H¥ô¦ó¨Ó·½¦a§}§â«Ê¥]°e¥X¥h³£¦æ¡M¦ý¥u¦³¦^À³¨ì³oÓ¨Ó·½¦a§}ªº«Ê ¥]¤~¥i¥H¦^¨ì±z¨º¸Ì¡C¦pªG±z·Q¥Î¦h¥x¤£¦P¥D¾÷(¨Ò¦p®a¤¤ºô¸ô)³z¹L¸Ó³s ±µ¤W internet ªº¸Ü¡M¨º±z´Nn NAT ¤F¡C ³o¤]´N¬O¤µ¤Ñ NAT ³Ì±`¥Î¤§³B¡M¦Ó¦b Linux ¥@¬É³Ì¬°¤Hª¾ªº´N¬O©Ò¿×ªº `masquerading(«Ê¥]°°¸Ë³N)' ¤F¡C§ÚºÙ¤§¬° SNAT¡M¦]¬°±z§ïÅܤF²Ä¤@Ó «Ê¥]ªº source(¨Ó·½) ¦a§}ªº½t¬G¡C ¦h«¦øªA¾¹ ¦³®ÉÔ¡M±z·|·Q¥h§ïÅܨº¨Ç¶i¤J±zºô¸ôªº«Ê¥]¤§¸ô¦V¡C³o³Ì±`¬O¦]¬°(¦p ¤Wz)±z¥u¦³¤@Ó IP ¦a§}¡M¦ý±z«o·QÅý§O¤H¯à°÷³s±µ¨ì `¯u¹ê' IP ¦a§} «á±ªº¥D¾÷¥h¡C¦pªG±z«¼g³o¨Ç¤º°e«Ê¥]ªº¥Øªº¦a§}¡M³o¼Ë±z´N¥i¥HºÞ²z ¥¦Ì¤F¡C ¤@Ó±`¨£ªºÅܰʬOt¸ü¤À¾á(load-sharing)¡M¤]´N¬O¦b¤@²Õ¾÷¾¹¤W±¬°«Ê ¥]°µ¬M¹ï(mapping)ªº°Ê§@¡C³oÃþ«¬ªº NAT ¡M¦b¥H«eªºªº Linux ª©¥»¤¤ ¤]´N³QºÙ¬° port-forwarding ¡C ³z©ú¥N²z(Transparent Proxying) ¦³®ÉÔ¡M±z©Î³\·Qn¨C¤@Ó¸g¹L±zªº Linux ¥D¾÷ªº«Ê¥]°e¦Ü¥D¾÷¥»¨ªº ¤@Óµ{¦¡¥h¡C³o´N»Ýn¶i¦æ³z©ú¥N²zªº°Ê§@¤F¡R¤@Ó¥N²z´N¬O¤@Ó¦ì©ó±z ªººô¸ô©M¥~³¡ºô¸ôªºµ{¦¡¡M¬°©¼¦¹Âù¤èt°_·¾³qªº¥ô°È¡C¦Ó©Ò¿×ªº³z©ú¡M «h¬O¦]¬°±zªººô¸ô¬Æ¦ÜµL¶·ª¾¹D¦b©M¤@Ó¥N²z¹ïÁ¿¡M·íµM¤F¡M°£«D¥N²z¤£ ¦A¤u§@¤F§a¡C Squid ¥i¥H°t¸m¦¨³o¼Ëªº¤u§@¤è¦¡¡M³o´N¬O¦b¹L©¹ªº Linux ª©¥»¤¤©Ò¿× ªº«¾É¦V(redirection)¡N©Î³z©ú¥N²z¤F¡C 3. ¨âºØÃþ«¬ªº NAT §Ú±N NAT ¤À¬°¨âºØ¤£¦PªºÃþ«¬¡R Source NAT (SNAT) »P Destination NAT (DNAT) Source NAT ´N¬O±z±N§ïÅܲĤ@Ó«Ê¥]ªº¨Ó·½¦a§}¡R¨Ò¦p¡M±z¬°¶Ç¤Jªº³s½u°µ caching ªº°Ê§@¡CSource NAT ¥Ã»··|¦b«Ê¥]¶Ç¥Xºô½u¤§«e´N°µ¦n post-routing ªº°Ê§@¡C«Ê¥]°°¸Ë(Masquerading)´N¬O¤@Ó SNAT ¯S¨Ò¡C Destination NAT ´N¬O±z±N§ïÅܲĤ@Ó«Ê¥]ªº¥Øªº¦a¦a§}¡R¨Ò¦p±zn¬°¶Ç¥Xªº³s ½u°µ caching ªº°Ê§@¡CDestination NAT ¥Ã»··|¦b«Ê¥]±qºô½u¶i¤J¤§«á´N°¨¤W°µ ¦n pre-routing ªº°Ê§@¡CPort forwarding¡Nt¸ü¤À¾á¡N¥H¤Î³z©ú¥N²z¡M³£ÄÝ©ó DNAT¡C 4. ±q 2.0 ¨ì 2.2 ®Ö¤ßªº§Ö³tÂàÅÜ «D±`©êºp¡M°²¦p±z¤´µM¦£©ó±q 2.0(ipfwadm) ¨ì 2.2(ipchains) ªºÂ૬ªº¸Ü¡C¤£ ¹L¡M³o¤]¬Oӳ߼~°Ñ¥bªº®ø®§°Õ¡C º¥ý¡M±z¥i¥H»´©öªº¤@¦p©¹©õ¦a¨Ï¥Î ipchains ©M ipfwadm¡Cn³o¼Ë°µªº¸Ü¡M±z »Ýn±N³Ì·sªº netfilter ®M¥ó¤¤ªº `ipchains.o' ©Î `ipfwadm.o' ®Ö¤ß¼Ò²Õ¸ü ¤J¡C¥¦Ì¬O¬Û¤¬±Æ¥¸ªº(±zÀ³¤wÀòĵ§i¤F)¡M¦P®É¤]¤£¯à©M¨ä¥¦ netfilter ¼Ò²Õ¦P ®É¾ã¦X¦b¤@°_¡C ¤@¥¹¨ä¤¤¤@Ó¼Ò²Õ³Q¸ü¤J¡M±z´N¥i¥H¦p±`¨Ï¥Î ipchains ©M ipfwadm ¤F¡M¦ý¤]¦³ ¦p¤U¤@¨ÇÅܤưաR * ¥Î ipchains -M -S¡M©Î¬O ipfwadm -M -s §@°°¸Ë¹O®É±N¤£¦A¦³®Ä¡C¦]¬°¹O ®É³]©w¤w¸g²¾¦Ü·sªº NAT ¬[ºc¤¤¡M©Ò¥H³o¸Ì¤]´N¨S¤°»ò©Ò¿×¤F¡C * ¦b°°¸Ë¦Cªí¤¤Åã¥Üªº ini_seq¡Ndelte¡N©M previous_delta Äæ¦ì¡M±N¥Ã»·¬° ¹s¡C * ¦P®ÉÂk¹s(zeroing)©M¦C¥Ü°O¼Æ¾¹(counter)ªº `-Z -L' ¤wµL§@¥Î¡R°O¼Æ¾¹±N ¤£¯à¦AÂk¹s¤F¡C Hacker ̤´n¯d·N¤§³B¡R * ±z²{¦b¥i¥H®¹¸j 61000-65095 ¤§¶¡ªº°ð¤f¡M¦ÓµL»Ý²z·|±z¬O§_¨Ï¥Î«Ê¥]°°¸Ë §Þ³N¡C¦b¹L¥h¡M«Ê¥]°°¸Ëµ{¦¡·|§â¦¹È°ì¤ºªº©Ò¦³ªF¦è®·Àò¶i¨Ó¡M©Ò¥H¨ä¥¦ µ{¦¡´N¤£¥i¥Î¤§¤F¡C * ¦Ü©ó(©|¥¼¦¨¤å¤§) getsockname ¯}¸Ñ¡M¦b¹L¥h¡M³z©ú¥N²zµ{¦¡¥i¥H§ä¥X¨º¨Ç ¤£¦A¦³®Ä³s½u¤§¯u¥¿¥Øªº¦a¡C * ¦Ü©ó(©|¥¼¦¨¤å¤§) bind-to-foreign-address ¯}¸Ñ¡M¦P¼Ë©|¥¼¹ê§@¡Q³o¦b¹L ¥h¥Î¥H§¹µ½³z©ú¥N²zªººc·Q¡C 4.1 ±Ï©R°Ú¡T§Ú¥u·Qn«Ê¥]°°¸Ë¦Ó¤w¡T ¨S¿ù¡M³o¤]¬O¤j¦h¼ÆªB¤Í¤§»Ý¡C¦pªG±z¥Î PPP ¼·±µÀò±oªº°ÊºA IP (¦pªG±z¤£¤F ¸Ñªº¸Ü¡M¨º±zÀ³¸Ó¬O¤F)¡M±z©Î³\¥u·Q³æ¯Â§i¶D±zªº¥D¾÷Åý©Ò¦³¨Ó¦Û±z¤º³¡ºô¸ôªº «Ê¥]¡M¬Ý°_¨Ó¦p¨Ó¦Û¸Ó PPP ¼·±µ¥D¾÷¤@¼Ë¡C # Load the NAT module (this pulls in all the others). modprobe iptable_nat # In the NAT table (-t nat), Append a rule (-A) after routing # (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to # MASQUERADE the connection (-j MASQUERADE). iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward µù¡R±z³o¸Ì¨Ã¨S°µ¥ô¦ó«Ê¥]¹LÂo¡R¦pnªº¸Ü¡M½Ð°Ñ¦Ò Packet Filtering HOWTO¡R ±N NAT ©M«Ê¥]¹LÂo¦X¨Ö°_¨Ó´N¬O¤F¡C 4.2 ¨º ipmasqadm «ç»ò¤F¡S ³oÓ¨ä¹ê¨ú¨M©ó¨Ï¥ÎªÌ¦Ó¤w¡M©Ò¥H§Ú¨Ã¤£¬O«Ü¬°¦V«áÝ®e°ÝÃD¦Ó¾á¤ß¡C±z¥i¥H³æ ¯Â¨Ï¥Î iptables -t nat °µ port forwarding ªº°Ê§@¡C¨Ò¦p¡M¦b Linux 2.2 ±z ©Î³\¤w¸g³o¼Ë°µ¤F¡R # Linux 2.2 # Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80 ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80 ¦Ó²{¦b¡M¦p¦¹«h¥i¡R # Linux 2.4 # Append a rule pre-routing (-A PREROUTING) to the NAT table (-t nat) that # TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080) # have their destination mapped (-j DNAT) to 192.168.1.1, port 80 # (--to 192.168.1.1:80). iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 \ -j DNAT --to 192.168.1.1:80 °²¦p±z·QÅý³o±ø³W«h¦P®Éק糧¾÷³s½uªº¸Ü(¦p¡M§Y¨Ï¦b NAT ¥D¾÷¥»¨¡Mn³s±µ 1.2.3.4 ªº 8080 °ð¤f¤§ telnet ³s½u¡M·|À°±z³s±µ¦Ü 192.168.1.1 ªº 80 °ð ¤f)¡M±z´N¥i¥H´¡¤J¬Û¦Pªº³W«h¦Ü OUTPUT Ã줤(¥¦¥u¾A¥Î©ó¥»¾÷¶Ç¥Xªº«Ê¥])¡R # Linux 2.4 iptables -A OUTPUT -t nat -p tcp -d 1.2.3.4 --dport 8080 \ -j DNAT --to 192.168.1.1:80 5. ±±¨îþ¨Çn NAT ±z»Ýn«Ø¥ß¤@¨Ç NAT ³W«h¡M¨Ó§i¶D®Ö¤ßþ¨Ç³s½un§ïÅÜ¡M¦P®É¦p¦ó¥h§ïÅÜ¥¦Ì¡C n°µ¨ì³oÂI¡M§ÚÌ»Ýn¤@Ó«D±`¦h¥Î³~ªº iptables ¤u¨ã¡M¦P®É«ü©w `-t nat' ¿ï¶µ§i¶D¥¦¥hקï NAT ªí®æ¡C NAT ³W«hªºªí®æ§t¦³¤TÓ¦Cªí¥s°µ`chains' ¡R¨C¤@±ø³W«h³£«ö¶¶§ÇÀˬd¡Mª½¨ì§ä ¨ì¤@Ӭ۲Ūº¤ñ¹ï¡C¸Ó¤TÓÃì´N¥s°µ PREROUTING (¹ï Destination NAT ¨Ó»¡¡M ¦]¬°«Ê¥]º¥ý¬O¶Ç¤Jªº)¡NPOSTROUTING (¹ï Source NAT ¨Ó»¡¡M¦]¬°«Ê¥]¬OÂ÷¶} ªº)¡N¥H¤Î OUTPUT (¹ï Destination NAT ¨Ó»¡¡M¬O«ü¨º¨Ç¥Ñ¥»¾÷²£¥Íªº«Ê¥])¡C °²¦p§Ú°÷ÃÀ³N¤Ñ¥÷ªº¸Ü¡M¤U±ªº¹Ï¥Ü±N·Ç½T¼ÒÀÀ¥X¤W±©Ò»¡ªº·§©À¡C _____ _____ / \ / \ PREROUTING -->[Routing ]----------------->POSTROUTING-----> \D-NAT/ [Decision] \S-NAT/ | ^ | __|__ | / \ | | OUTPUT| | \D-NAT/ | ^ | | --------> Local Process ------ ©ó«ezªº¨C¤@ÂI¡M·í¤@Ó«Ê¥]³q¹L§ÚÌn¬d¬Ýªº¬ÛÃö³s½u¤§®É¡M¦pªG¥¦¬O¤@Ó·s «Ø³s½u¡M§Ú̬d¬Ý¥¦¦b NAT ªí®æ¸Ì¹ïÀ³ªºÃì¡M¬Ý¬Ý¯à¹ï¤§°µ¨Ç¤°»ò°Ê§@¡C¦Ó¥Ñ¦¹ Àò±oªºµª®×´NÀ³¥Î©ó¸Ó³s½u±N¨Óªº©Ò¦³«Ê¥]¡C 5.1 ¥Î iptables °µÂ²³æªº¿ï¾Ü iptables ¨ã¦³¦p«á©Ò¦Cªº³\¦h¼Ð·Ç¿ï¶µ¡C©Ò¦³¨º¨Ç±aÂù´î¸¹ªº¿ï¶µ³£¬O¥i¥HÁY¼g ªº¡M¥un iptables ¤´¥i±N¤§»P¨ä¥¦¥i¯àªº¿ï¶µ°Ï¤À¶}¨Ó´N¦æ¡C¦pªG±zªº®Ö¤ß¥H ¼Ò²Õ§Î¦¡¨Ó¤ä´© iptables ¡M±z´N»Ýnº¥ý¸ü¤J ip_tables.o ¡R `insmod ip_tables'¡C ³o¸Ì¡M³Ì«nªº¤@ӿﶵ¬Oªí®æ¿ï¾Ü¿ï¶µ¡R `-t' ¡C¹ï©ó©Ò¦³ªº NAT ¾Þ§@¡M±z·| ·Q¥Î `-t nat' ¨Óªí¥Ü NAT ªí®æ¡C²Ä¤GÓ«nªº¿ï¶µ¬O¥H `-A' ¼W¥[¤@±ø·s³W«h ¦ÜÃ쪺¥½ºÝ (¦p¡R`-A POSTROUTING')¡M©Î¥H `-I' ´¡¤J¦Ü«eºÝ(¦p¡R`-I PREROUTING')¡C ±z¥i¥H«ü©w±zn°µ NAT ªº«Ê¥]¨Ó·½¦a§} (`-s' ©Î `--source') »P¥Øªº¦a (`-d' or `--destination')¡C³o¨âӿﶵ«á±¥i¥H«á±µ¤@Ó³æ¤@ªº IP ¦a§} (¦p ¡R192.168.1.1)¡M©Î¤@Ó¦WºÙ (¦p¡R www.kernelnotes.org)¡M©Î¤@Óºô¸ô¦a§} (¦p¡R192.168.1.0/24 ©Î 192.168.1.0/255.255.255.0)¡C ±z¤]¥i¥H«ü©wn¤ñ¹ïªº¶Ç¤J (`-i' ©Î `--in-interface') ©M¶Ç¥X (`-o' or `--out-interface') ¬É±¡M¦ýþ¤@Ӭɱ¥i¥H«ü©w«h¨ú¨M©ó±zn±N³W«h¼g¤Jþ¤@ ÓÃì¥h¡R¹ï©ó PREROUTING ¡M±z¥i¥H¿ï¾Ü¶Ç¤J¬É±¡M¦ý¹ï©ó POSTROUTING (¥H¤Î OUTPUT)¡M±z¥i¥H¿ï¾Ü¶Ç¥X¬É±¡C¦pªG±z¤£¤p¤ß¥Î¿ù¤F¡M iptables ´N·|µ¹±z¤@Ó ¿ù»~¡C 5.2 Ãö©ó¬D¿ïþ¨Ç«Ê¥]¨Ó mangle ªº²Ó¸` §Ú«e±¤w¸g»¡¹L¡M±z¥i¥H«ü©w¨Ó·½©M¥Øªº¦a¦a§}¡C¦pªG±z¬Ù²¤¨Ó·½¦a§}ªº¿ï¶µ¡M ¨º»ò´Nªx«ü¥ô¦ó¨Ó·½¡C¦pªG±z¬Ù²¤¥Øªº¦a¦a§}¡M«hªx«ü©Ò¦³¥Øªº¦a¦a§}¡C ±zÁÙ¥i¥H«ü©w¤@Ó¯S©w¨ó©w (`-p' or `--protocol')©O¡M¨Ò¦p TCP ©Î UDP¡R¥u ¦³³o¨Ç¨ó©wªº«Ê¥]¤~²Å¦X¸Ó³W«h¡C¨ä¥Dnì¦]¬O¡M«ü©w tcp ©Î udp ¨ó©w¥i¥H¤¹ ³\§ó¦h¿ï¶µ¡R¤×¨ä¬O `--source-port' »P `--destination-port' ¿ï¶µ (ÁY¼g¬° `--sport' »P `--dport' )¡C ³o¨Ç¿ï¶µ¥i¥HÅý±z«ü©w¥u¦³þ¨Ç¯S©w¨Ó·½©M¥Øªº¦a°ð¤fªº«Ê¥]¤~²Å¦X¸Ó³W«h¡C³o ¦b±zn«¾É web ½Ð¨D (TCP port 80 ©Î 8080) ¦ý¤S©È¼vÅT¨ä¥¦«Ê¥]ªº®ÉÔ¡M´N «Ü¦n¥Î¤F¡C ³o¨Ç¿ï¶µ¥²¶·±µ¦b `-p' ¿ï¶µªº«á±(³o·|¦b¬°¸Ó¨ó©w¸ü¤J¦@¨É¨ç¦¡®w®É¦³°Æ§@ ¥Î)¡C±z¥i¥H¨Ï¥Î°ð¤f¸¹½X¡M©ÎªÌ¬O¦b /etc/services Àɤ¤ªº¦WºÙ¡C ©Ò¦³³o¨Ç±z¯à¿ï¾Üªº«Ê¥]¤§¤£¦P«~½è¡M³£¸Ô²Ó¦C¦b¨ºÓ¸Ô²Ó±o¦³ÂI®£©Æªº manual page ¤¤¤F(man iptables)¡C 6. ½Í½Ín«ç¼Ë Mangle «Ê¥] ²{¦b¡M§Ú̪¾¹D¦p¦ó¥h¬D¿ï¨º¨Ç§ÚÌn mangle ªº«Ê¥]¡C¬°¤Fn§¹µ½§Ú̪º³W«h ¡M§ÚÌ»Ýn·Ç½TµL»~ªº§i¶D®Ö¤ß¡M¤°»ò¤~¬O§ÚÌn¹ï«Ê¥]°µªº¡C 6.1 Source NAT ±z·Qn°µ Source NAT¡M¬On¥h±N³s½uªº¨Ó·½¦a§}´«¦¨§Oªº¤°»òªº¡C³o´Nn¦b¥¦³Ì «án°e¥X¥h¤§«e¡M©ó POSTROUTING Ã줤§¹¦¨¤F¡Q³o¬O¤@Ó«D±`«nªº²Ó¸`¡M¦]¬° ¥¦·N¨ýµÛ©Ò¦³¦b Linux ¥D¾÷¥»¨¤Wªº¨ä¥¦ªF¦è (routing, packet filtering) ³£¥u¬Ý¨£¨ºÓÁÙ¨S§ïÅܪº«Ê¥]¡C¦P®É¡M³o¤]´N¬O»¡¡M`-o' (¶Ç¥X¬É±) ¿ï¶µ¥i¥H ¬£¤W¥Î³õ¤F¡C Source NAT ¬O¥Î `-j SNAT' ¨Ó«ü©wªº¡M¦P®É¡M `--to source' «h«ü©w¤@Ó IP ¦a§}¡N©Î¤@¬q IP ¦a§}¡N¥H¤Î¤@Ó¥i°t¿ïªº°ð¤f©Î¤@¬qȰ쪺°ð¤f(¶È¾A¥Î©ó UDP ©M TCP ¨ó©w)¡C ## Change source addresses to 1.2.3.4. # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 ## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6 # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 ## Change source addresses to 1.2.3.4, ports 1-1023 # iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023 «Ê¥]°°¸Ë (Masquerading) ¦³¤@Ó Source NAT ¤§¯S¨Ò¡M¥s°µ«Ê¥]°°¸Ë¡R¥¦¥u¥Î©ó°ÊºA¤À°tªº IP ¦a§}¡M¨Ò ¦p¼Ð·Çªº¼·±µ(¦pªG¥ÎÀRºA IP ¦a§}¡M«h¨Ï¥Î«ez¤§ SNAT)¡C ±zµL»Ý©ú½T¦a±N masquerading ©ñ¶i¨Ó·½¦a§}¨º¸Ì¥h¡R¥¦±N·|¨Ï¥Î«Ê¥]¶Ç¥X¬É± §@¬°¨Ó·½¦a§}¡C¦ý§ó«nªº¬O¡M¦pªG¸Ó³s±µ(link)Â_±¼ªº¸Ü¡M¨º»ò³s½u (connections¡MµL¥iÁקKªº±N¥¢±¼) ¤]·|³Q§Ñ±¼¡M·í³s½u¥Î·sªº IP ¦a§}¦^¨Óªº ®ÉÔ´N·|¦³°ÝÃD¤F¡C ## Masquerade everything out ppp0. # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE 6.2 Destination NAT ¤@¥¹«Ê¥]¶i¤J¡M·|¥Ñ PREROUTING Ã짹¦¨³B²z¡Q¤]´N¬O»¡¡M°£¤F¸Ó¥D¾÷¦Û¤vªº¨ä ¥¦ªF¦è(½Ñ¦p¡R¸ô¥Ñ¡N«Ê¥]¹LÂo) ³£±N«Ê¥]¬Ý¦¨n°e¨ì `¯u¥¿' ¥Øªº¦a¡C¥t¥~¡M¨º Ó `-i' (¶Ç¤J¬É±) ¿ï¶µ¤]¥i¥H¦b³o¸Ì¨Ï¥Î¡C »Ýnק糧¾÷²£¥Íªº«Ê¥]¤§¥Øªº¦aªº¸Ü¡M¨º»ò OUTPUT Ãì´N¥i¥H¥Î¤W¤F¡M¤£¹L³o ¨Ã¤£±`¸I¨ì¡C Destination NAT ¥²¶·¥H `-j DNAT' ¨Ó«ü©w¨Ï¥Î¡M¦P®É¥Î `--to destination' ¿ï¶µ«ü©w¤@Ó IP ¦a§}¡N©Î¤@¬q IP ¦a§}¡M¥H¤Î¥i¥H°t¿ï¤@Ó°ð¤f©Î¤@¬q°ð¤fÈ °ì(¥u¯à¥Î©ó UDP ©M TCP ¨ó©w¤W±)¡C ## Change destination addresses to 5.6.7.8 # iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8 ## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10. # iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8-5.6.7.10 ## Change destination addresses of web traffic to 5.6.7.8, port 8080. # iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 \ -j DNAT --to 5.6.7.8:8080 ## Redirect local packets to 1.2.3.4 to loopback. # iptables -t nat -A OUTPUT -d 1.2.3.4 -j DNAT --to 127.0.0.1 «¾É¦V (Redirection) ¦b Destination NAT ¦³¤@Ó¯S§Oªº±¡§Î¡R¥¦¬O¤@Ó²³æªº«K§Q¡M§¹¥þµ¥¦P©óµ¹¶Ç ¤J¬É±¦a§}°µ DNAT ¤@¼Ë¡C ## Send incoming port-80 web traffic to our squid (transparent) proxy # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ -j REDIRECT --to-port 3128 6.3 ¶i¤@¨Bªº¬M¹ï(Mappings) ÁÙ¦³³\¦h NAT ¤W±ªº¸Ñ¨M¤è®×¬O¤j¦h¼Æ¤HµL»Ý¥Î¨ìªº¡C³o¸Ì¤£§«©M¨º¨Ç¦³¿³½ìªº ªB¤Í±´°Q¤@¤U¡R ¦P¤@½d³ò¤ºªº½Æ¦X¦a§}(Multiple Addresses)¤§¿ï¾Ü¡C ¦pªG±z¤w¸g«ü©w¤F¤@¬q IP ¦a§}¡M ¦Ó IP ¦a§}ªº¨Ï¥Î¿ï¾Ü¬O°ò©ó¾÷¾¹©Òª¾³s½u¥Ø «e³Ì¤Ö¨Ï¥Î¤§ IP¡C¥¦¥i¥H´£¨Ñ³Ìì©lªº¥¿Åt¸ü(load-balancing)¡C «Ø¥ßªÅ NAT ¬M¹ï ±z¥i¥H¨Ï¥Î `-j ACCEPT' ¥Ø¼Ð¨ÓÅý¤@Ó³s½u³q¹L¡M¦Ó¶¹L NAT ªº³B²z¡C ¼Ð·Çªº NAT ¦æ¬°(Behaviour) ¹w³]ªº¦æ¬°¬O¦b¨Ï¥ÎªÌ¨î©wªº³W«h¨î¤º¡MºÉ¥i¯à¤Öªº§ïÅܳs½u¡C´«¦Ó¨¥¤§¡M«D ¤£±o¤w¤£n«¬M¹ï(remap)°ð¤f¡C µ´¹ï¨Ó·½°ð¤f¬M¹ï ¦pªG¨ä¥¦³s½u¤w¸g³Q¬M¹ï¨ì·sªº³s½u¡M´Nºâ¹ï©ó¤@ÓµL»Ý NAT ªº³s½u¨Ó»¡¡M¨Ó·½ °ð¤fªºÂà´«¦³®É©Î¬O¥²¶·µ´¹ï¦s¦bªº¡CÅý§ÚÌ°²³]¤@Ó«Ê¥]°°¸Ëªº±¡§Î¡M³o¤w¸g «D±`´¶¹M¤F¡R 1. ¤@Óºô¶³s½u¥Ñ¤@¥x 192.1.1.1 ªº¾÷¾¹±q port 1024 «Ø¥ß¡Mn³s±µ ¨ìwww.netscape.com port 80¡C 2. ¥¦³Q«Ê¥]°°¸Ë¥D¾÷¥H¨ä¦Û¤vªº IP ¦a§}(1.2.3.4)¶i¦æ°°¸Ë¡C 3. ¸Ó«Ê¥]°°¸Ë¥D¾÷¹Á¸Õ¥Ñ 1.2.3.4 (¥¦ªº¥~³¡¬É±¦a§}) port 1024 ¨Ó°µ¤@Ó ºô¶³s½u¦Üwww.netscape.com port 80¡C 4. µM«á NAT µ{¦¡§ïÅܲĤGÓ³s½uªº¨Ó·½°ð¤f¬° 1025¡M©Ò¥H³o¨âÓ³s½u¤£¦Ü©ó ¬Û½Ä(clash)¡C ·í³oÓµ´¹ï¨Ó·½¬M¹ï¦s¦b¤§®É¡M°ð¤f³Q©î¤À¬°¤TÓµ¥¯Å¡R * 512 ¥H¤Uªº°ð¤f * 512 ¨ì 1023 ¤§¶¡ªº°ð¤f * 1024 ¥H¤Wªº°ð¤f ¥ô¦ó¤@Ó°ð¤f³£¤£·|³Qµ´¹ï¬M¹ï¨ì¤£¦Pªºµ¥¯Å¥h¡C ·í NAT ¥¢®Ä®É·|«ç¼Ë¡S ¦pªG¨S¦³¿ìªk¦p¥Î¤án¨D¨º¼Ë¿W¤@µL¤G¦a¬M¹ï³s½u¡M¨º»ò³s½u´N·|³Q¾×±¼¡C·í¤@ Ó«Ê¥]¤£¯à°÷¬É©w¬°¥ô¦ó³s½uªº®ÉÔ¡Mµ²ªG¤]¤@¼Ë¡M¦]¬°¥¦Ì¥iºâ¬O·î§Îªº¡M©Î ªÌ¬O¸Ó¾÷¾¹°O¾ÐÅé¯Ó¥ú¤F¡M½Ñ¦p¦¹Ãþ¡C ½Æ¦X¬M¹ï¡N«Å|¡N©M¬Û½Ä(clash) ±z¥i¥H³]©w NAT ³W«h¦b¦P¤@Ó½d³ò¤§¤W¬M¹ï«Ê¥]¡QNAT µ{¦¡¨¬¥HÁo©úªº¥hÁקK¬Û ½Ä¡C¤ñ¤è»¡¡M¥Î¨â±ø³W«h±N 192.168.1.1 ©M 192.168.1.2 ³o¨âÓ¨Ó·½¦a§}¤À§O ¬M¹ï¨ì 1.2.3.4¡M¬O§¹¥þ¥i¦æªº¡C ¦A¨Ó¡M±z¥i¥H¬M¹ï¨ì¯u¹êªº¡N¤w¥Îªº IP ¦a§}¡M¥un³o¨Ç¦a§}³q¹L³oÓ¬M¹ï¥D¾÷ ´N¦æ¡C©Ò¥H¡M¦pªG±zÀò±o¤@Óºô¸ô(1.2.3.0/24)¡M¦ý¦³¤@Ó¤º³¡ºô¸ô¨Ï¥Î³o¨Ç¦a §}¡M¦Ó¥t¤@ӨϥΨp¦³¦a§} 192.168.1.0/24 ¡M±z´N¥i¥H NAT ¨º¨Ç 192.168.1.0/24 ªº¨Ó·½¦a§}¨ì 1.2.3.0 ºô¸ô¤§¤W¡M¦ÓµL»Ý¾á¤ß¬Û½Ä¡R # iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \ -j SNAT --to 1.2.3.0/24 ³o¦P¼Ë¾A¥Î©ó¨º¨Ç NAT ¥D¾÷¦Û¤v¨Ï¥Îªº¦a§}¡R³o¨ä¹ê´N¬O«Ê¥]°°¸Ë¦p¦ó¤u§@ªº ¤F(¤À¨É°°¸Ë«Ê¥]¦a§}©M¨Ó¦Û¥D¾÷¥»¨«Ê¥]¤§ `¯u¹ê' ¦a§}¡C ) §ó¬ÆªÌ¡M±zÁÙ¥i¥H¬M¹ï¬Û¦Pªº«Ê¥]¨ì³\¦h¤£¦Pªº¥Ø¼Ð(targets)¤W¥h¡M¦Ó¥B¥¦Ì³£ ¬O¦@¨Éªº¡C¨Ò¦p¡M¦pªG±z¤£·Q¬M¹ï¥ô¦óªF¦è¨ì 1.2.3.5 ¤W¥h¡M±z¥i¥H³o¼Ë°µ¡R # iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \ -j SNAT --to 1.2.3.0-1.2.3.4 --to 1.2.3.6-1.2.3.254 §ïÅÜ¥»¾÷²£¥Íªº³s½u¤§¥Øªº¦a ¦pªG¥»¾÷²£¥Íªº«Ê¥]¤§¥Øªº¦a§ïÅܤF(¨Ò¦p¡M¥Î OUTPUT Ãì)¡M¦Ó³o¼Ë·|¾ÉP«Ê¥] ¥Ñ¤£¦Pªº¬É±°e¥X¥h¡M³o¼Ë¨Ó·½¦a§}¤]¸òµÛÅܬ°¨ºÓ¬É±¡CÁ|¨Ò¤l»¡¡M§ïÅܤ@Ó Àô°j(loopback)«Ê¥]¤§¥Øªº¦a¥Ñ eth0 °e¥X¡M·|Åý¨Ó·½¦a§}¤]¥Ñ 127.0.0.1 Åܦ¨ eth0 ªº¦a§}¡Q¦Ó¤£¹³¨ä¥¦¨Ó·½¦a§}¬M¹ï¨º¼Ë¡M³o¬O¥ß§Y§¹¦¨ªº¡C·íµM¡M©Ò¦³³o¨Ç ¬M¹ï¦b¦^À³«Ê¥]¶i¤J®É¬OÄA˹L¨Óªº¡C 7. ¯S®í¨ó©w ¦³¨Ç¨ó©w¬O¨Ã¤£·Qn°µ NAT ªº¡C¹ï©ó¨C¤@Ó³o¼Ëªº¨ó©w¦Ó¨¥¡M¦³¨âÓ©µ¦ù³] ©w(extension)¬O¥²¶·n¼g²M·¡ªº¡G¤@Ó¬OÃö©ó¨ó©w¤§³s½u°lÂÜ¡M¥t¤@ÓÃö©ó¹ê»Ú ªº NAT¡C ¦b netfilter µo¦æ®M¥ó¸Ì±¡M¦³¤@¨ÇÃö©ó ftp ªº²{¦æ¼Ò²Õ ¡Rip_conntrack_ftp.o »P ip_nat_ftp.o ¡C¦pªG±z§â³o¨Ç´¡¤J¨ì±zªº®Ö¤ß¸Ì±( ©Î±z¥Ã¤[©Êªº½sĶ¥¦Ì)¡M¨º»òn¦b ftp ³s½u¤W°µ¥ô¦óºØÃþªº NAT ³£¬O¥i¦æªº¡C ¦pªG±z¤£³o¼Ëªº¸Ü¡M¨º±z¥i¥H¨Ï¥Î³Q°Ê¼Ò¦¡ ftp¡M¤£¹L¦pªG±zn°µ¤@¨Ç°Ê§@¬Æ©ó ²³æ Source NAT ªº¸Ü¡M³o´N¥i¯à¤£¨º»ò¥i¾a¤F¡C 8. NAT ªº¤@¨Ç¨î (caveats) ¦pªG¦b¤@Ó³s½u¤W°µ NAT¡M©Ò¦³ Âù¦V (¶Ç¥X©M¶Ç¤J) ªº«Ê¥]¡M³£¥²¶·n³q¹L NAT ¥D¾÷¤~¦æ¡M§_«h¨Ã¤£¥i¾a¡C¤×¨ä¦b³s½u°lÂܵ{¦¡«²Õ¸H¤ù (fragments)ªº®É Ô¡M¤]´N¬O»¡¡M¤£¦ý³s½u°lÂÜ·|¤£¥i¯à¡M¦Ó¥B±zªº«Ê¥]®Ú¥»´N¤£¯à³q¹L¡M¦]¬°¸H ¤ù·|³Q¾×¤U¡C 9. Source NAT »P¸ô¥Ñ ¦pªG±zn°µ SNAT¡M±z·|·Qn½T©w¸g¹L SNAT «Ê¥]©Ò¶Çµ¹ªº¥D¾÷·|±N¦^À³°e¦^µ¹ NAT ¥D¾÷¡C¨Ò¦p¡M¦pªG±z¬M¹ï¬Y¨Ç¶Ç¥X«Ê¥]¨ì¨Ó·½¦a§} 1.2.3.4 ¤§¤W¡M¨º»ò¥~³¡ ªº¸ô¥Ñ¾¹´N¥²¶·ª¾¹Dn±N¦^À³«Ê¥](¥Øªº¦a¬° 1.2.3.4 )°e¦^µ¹¸Ó¥D¾÷¡C³o¥i¥H¥Î ¦p¤U¤èªk°µ¨ì¡R 1. ¦pªG±zn¦b¥D¾÷¦Û¤vªº¦a§}(¸ô¥Ñ©M¨ä¥¦©Ò¦³¹B§@¬Ò¥¿±`)¤W±°µ SNAT¡M±zµL »Ý°µ¥ô¦ó°Ê§@¡C 2. ¦pªG±zn¦b¤@Ó¦b¥»¾÷ºô¸ô¤W©|¥¼¨Ï¥Îªº¦a§}°µ SNAT(¨Ò¦p¡M¬M¹ï¨ì¦b 1.2.3.0/24 ºô¸ô¤Wªº¤@Ó¥i¥Î IP 1.2.3.99)¡M±zªº NAT ¥D¾÷´N»Ýn¦^À³Ãö ©ó¸Ó¦a§}ªº ARP ½Ð¨D¡M¤@¦p¥¦¦Û¤v¥»¨ªº¤@¼Ë¡R³Ì²³æªº¤èªk´N¬O«Ø¥ß IP alias¡M¨Ò¦p¡R # ip address add 1.2.3.99 dev eth0 3. ¦pªG±zn¦b¤@Ó§¹¥þ¤£¦Pªº¦a§}¤W°µ SNAT¡M±z´Nn½T©w SNAT «Ê¥]©è¹Fªº¾÷ ¾¹¯à°÷¸ô¥Ñ¦^¸Ó NAT ¥D¾÷¡C¦pªG NAT ¥D¾÷¬O¥¦Ìªº¹w³]¹h¹D¾¹ªº¸Ü¡M¬O¥i ¥H°µ¨ìªº¡M§_«h¡M±z´Nn¼s§i(advertize )¤@Ó¸ô¥Ñ(¦pªG¶]¸ô¥Ñ¨ó©wªº¸Ü) ¡M©Î¬O¤â¤uªº¦b¨C¤@¥x°Ñ»P¾÷¾¹¤W¼W¥[¸ô¥Ñ¡C 10. ¦b¦P¤@ºô¸ô¤Wªº Destination NAT ¦pªG±zn°µ portforwarding ¦^¨ì¦P¤@Óºô¸ô¡M±zn½T©w«e¦V©M¦^À³«Ê¥]Âù¤è³£ ¸g¹L¸Ó NAT ¥D¾÷(³o¼Ë¥¦Ì¤~¯à³Qקï)¡CNAT µ{¦¡±q²{¦b¶}©l(2.4.0-test6¥H «á)¡M·|¾×±¼«á±±¡§Î©Ò²£¥Íªº¶Ç¥X ICMP «¾É¦V¡R¨º¨Ç¤w¸g NAT ªº«Ê¥]¥H¥¦©Ò ¶i¤Jªº¬Û¦P¬É±¶Ç¥X¡M¦Ó±µ¦¬ºÝ¦øªA¾¹¤´¹Á¸Õª½±µ¦^À³¨ì«È¤áºÝ(¤£»{¥i¸Ó¦^À³) ¡C ¸g¨åªº±¡§Î¬O¤º³¡¤Hû¹Á¸Õ³s±µ¨ì±zªº `¤½¦³(public)' ºô¯¸¦øªA¾¹¡M¹ê»Ú¤W¬O ±q¤½¦³¦a§}(1.2.3.4) DNAT ¨ì¤@Ó¤º³¡ªº¾÷¾¹(192.168.1.1)¥h¡M´N¹³³o¼Ë¡R # iptables -t nat -A PREROUTING -d 1.2.3.4 \ -p tcp --dport 80 -j DNAT --to 192.168.1.1 ¤@Ó¤èªk¬O¶]¤@¥x¤º³¡ DNS ¦øªA¾¹¡M¥¦ª¾¹D±zªº¤½¦³ºô¯¸ªº¯u¥¿(¤º³¡) IP ¦a§} ¡M¦Ó±N¨ä¥¦½Ð¨DÂà¶Çµ¹¥~³¡ªº DNS ¦øªA¾¹¡C´«¦Ó¨¥¤§¡MÃö©ó±zºô¯¸¦øªA¾¹ªº°O¿ý ·|¥¿½T¦aÅã¥Ü¬°¤º³¡ IP ¦a§}¡C ¦Ó¥t¤@Ó¤èªk¬O¦P®ÉÅý³o¥x NAT ¥D¾÷±N¸Óµ¥³s½u¤§¨Ó·½ IP ¦a§}¬M¹ï¬°¥¦¦Û¤vªº ¦a§}¡M§ÚÌ¥i¥H¹³¦p¤U¨º¼Ë°µ(°²³] NAT ¥D¾÷¤§¤º³¡ IP ¦a§}¬° 192.168.1.250)¡R # iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \ -p tcp --dport 80 -j SNAT --to 192.168.1.250 ¦]¬° PREROUTING ³W«h¬O³Ì¥ý°õ¦æªº¡M¹ï¤º³¡ºô¯¸¦øªA¾¹¦Ó¨¥¡M«Ê¥]´N¤w¸g³Q©w ¦V¦n¤F¡R§ÚÌ¥i¥H¤º©w¦nþÓ¬°¨Ó·½ IP ¦a§}¡C 11. ·PÁ º¥ý·PÁ¦b§Ú¤u§@´Á¶¡¬Û«H netfilter ªººc·Q¨Ã¤ä«ù§Úªº WatchGuard ©M David Bonn¡C ¥H¤Î©Ò¦³¨ä¥LÀ°§Ú«ü¥¿ NAT ¤§¤£¨¬ªºªB¤Í¡M¤×¨ä¬O¨º¨ÇŪ¹L§Úªº¤é°Oªº¡C Rusty. References 1. http://netfilter.filewatcher.org/ 2. http://www.samba.org/netfilter 3. http://netfilter.kernelnotes.org/ 4. http://lists.samba.org/