Linux 2.4 NAT HOWTO
§@ªÌ¡RRusty Russell, mailing list netfilter@lists.samba.org
ĶªÌ¡Rºô¤¤¤H netmanforever@yahoo.com
v1.0.1 Mon May 1 18:38:22 CST 2000
_________________________________________________________________
¥»¤å¥ó´yz¦p¦ó¥Î 2.4 Linux ®Ö¤ß¥h°µ masquerading¡Ntransparent proxying
¡Nport forwarding¡N©M¨ä¥¦Ãþ«¬ªº Network Address Translations ¡C
_________________________________________________________________
1. Introduction
2. ©x¤èªººô¯¸©M³q«H½×¾Â¦ó³B³V¡S
* 2.1 ¦ó¬° Network Address Translation?
* 2.2 ¬°¤°»ò§Ún°µ NAT ©O¡S
3. ¨âºØÃþ«¬ªº NAT
4. ±q 2.0 ¨ì 2.2 ®Ö¤ßªº§Ö³tÂàÅÜ
* 4.1 ±Ï©R°Ú¡T§Ú¥u·Qn«Ê¥]°°¸Ë¦Ó¤w¡T
* 4.2 ¨º ipmasqadm «ç»ò¤F¡S
5. ±±¨îþ¨Çn NAT
* 5.1 ¥Î iptables °µÂ²³æªº¿ï¾Ü
* 5.2 Ãö©ó¬D¿ïþ¨Ç«Ê¥]¨Ó mangle ªº²Ó¸`
6. ½Í½Ín«ç¼Ë Mangle «Ê¥]
* 6.1 Source NAT
* 6.2 Destination NAT
* 6.3 ¶i¤@¨Bªº¬M¹ï(Mappings)
7. ¯S®í¨ó©w
8. NAT ªº¤@¨Ç¨î (caveats)
9. Source NAT »P¸ô¥Ñ
10. ¦b¦P¤@ºô¸ô¤Wªº Destination NAT
11. ·PÁÂ
_________________________________________________________________
1. Introduction
¿Ë·RªºÅªªÌ¡MÅwªï±z¡T
±z±Nn±´¯Áªº¬O¤Þ¤H¤J³Ó(¦³®ÉÆZ®£©Æ)ªº NAT(Network Address Translation)
¥@¬É¡M¦P®É¡M±z¬Æ¦Ü¥i¥H§â³o¥÷ HOWTO ·í¦¨ Linux 2.4 ®Ö¤ß¤Î¥H«áª©¥»ªººë½T
«ü«n©O¡C
¦b Linux 2.4 ¸Ì±¡M¦³¤@Ó¥s `netfilter' ªºªFªF¡M¥¦¬O±Mªù¼¹µõ
(mangling* )«Ê¥]ªº¡C¦b¥¦¦A¤W¤@Ó¼h¯Å¡M´N¬O´£¨Ñ NAT ¥\¯àªº¤F¡M«h¬O§¹¥þ¥Ñ
¥H©¹ªº®Ö¤ß¹ê§@¦Ó¦¨ªº¡C
(ĶªÌµù¡R«Ü©_©Ç¡Mì§@ªÌ¥Î mangle ³o¤@µü¡M¦ü¥G¦b¹L©¹ªº¤¤¤å¤å¥ó¤¤³£¨S¸I¨ì
¹L¡M¬d¹L¦n¦h¦r¨å³£¤£ª¾¹D«ç»ò½Ķ¦n¡C³o¸Ì¼È®É«j±j¥Î¡¥¼¹µõ¡¦³oÓµü¥N´À¡M
¤£¹L«á±§Ú´N¤£¹Á¸Õ½Ķ³oµü¤F¡MÅýŪªÌ¦Û¤v¥h²z¸Ñ§a¡C)
2. ©x¤èªººô¯¸©M³q«H½×¾Â¦ó³B³V¡S
¥Ø«e¦³¤TÓ©x¤èºô¯¸¥i¨ÑÂsÄý¡R
* ·PÁÂ [1]Filewatcher (http://netfilter.filewatcher.org).
* ·PÁÂ [2]The Samba Team and SGI (http://www.samba.org/netfilter).
* ·PÁÂ [3]Jim Pick (http://netfilter.kernelnotes.org).
¦Ó©x¤èªº netfilter ¶l¥ó½×¾Â¡M«h¥i¥H¨ì³o¸Ì¬Ý¡R [4]Samba's Listserver
(http://lists.samba.org).
2.1 ¦ó¬° Network Address Translation?
¤@¯ë¨Ó»¡¡M¦bºô¸ô¤W«Ê¥]±q¨ä¨Ó·½(¤ñ¤è±z®a¤¤ªº¹q¸£)¥X¥h¡MµM«á¨ì¹F¥Øªº¦a(¤ñ
¤èwww.kernelnotes.org)¡M·|¸g¹L³\³\¦h¦hÓ¤£¦Pªº³s±µ(links)¡R´N§Ú©Ò¦bªº¿D
¬w¨Ó»¡´N¤j¬ù¦³ 19 Ó¤§¦h¡C¨S¦³¥ô¦ó¤@Ó³s±µ·|¯uªº¥h§ó§ï±zªº«Ê¥]¡R¥L̶È
¶È¬O±N¤§¶Ç°e¥X¥h¦Ó¤w¡C
°²¦p¨ä¤¤¤@Ó³s±µ·|°µ NAT ªº¸Ü¡MµM«á¥¦Ì´N·|§ó§ï¨º¨Ç¸g¥¦¦Ó¹Lªº«Ê¥]¤§¨Ó·½
©Î¥Øªº¦a¦a§}¡C¸Û¦p±z¯à·Q¹³±o¨ìªº¡M³o¨Ã«D¨t²Î³Q³]p¦¨³o¼Ëªº¡M¦Ó¬O NAT ©Ò
°µªº¤â¸}¦Ó¤w¡C³q±`n°µ NAT ªº³s½u·|°O¦í¥¦¦p¦ó mangled «Ê¥]ªº¡MµM«á·í¦^
À³«Ê¥]±q¥t¤@¤è¦V¹L¨Óªº®ÉÔ¡MµM«á´N¤Ï¹L¨Ó mangling ¨ºÓ¦^À³«Ê¥]¡M©Ò¥H©Ò
¦³ªF¦è³£¤u§@°_¨Ó¤F¡C
2.2 ¬°¤°»ò§Ún°µ NAT ©O¡S
¦b§¹¬üªº¥@¬É¸Ì¡M±zµL»Ý³o¼Ë°µ°Õ¡C¦b¥Ø«e¨Ó»¡¡MÁÙ¬O¦³¨ä²z¥Ñªº¡R
¥Î modem ¼·±µ¤Wºô
¤j¦h¼Æªº ISP ¦b±z³s¤W¥hªº®ÉÔ¥u·|µ¹±z¤@Ó³æ¤@ IP ¦a§}¡C±z³ßÅwªº
¸Ü¡M¥H¥ô¦ó¨Ó·½¦a§}§â«Ê¥]°e¥X¥h³£¦æ¡M¦ý¥u¦³¦^À³¨ì³oÓ¨Ó·½¦a§}ªº«Ê
¥]¤~¥i¥H¦^¨ì±z¨º¸Ì¡C¦pªG±z·Q¥Î¦h¥x¤£¦P¥D¾÷(¨Ò¦p®a¤¤ºô¸ô)³z¹L¸Ó³s
±µ¤W internet ªº¸Ü¡M¨º±z´Nn NAT ¤F¡C
³o¤]´N¬O¤µ¤Ñ NAT ³Ì±`¥Î¤§³B¡M¦Ó¦b Linux ¥@¬É³Ì¬°¤Hª¾ªº´N¬O©Ò¿×ªº
`masquerading(«Ê¥]°°¸Ë³N)' ¤F¡C§ÚºÙ¤§¬° SNAT¡M¦]¬°±z§ïÅܤF²Ä¤@Ó
«Ê¥]ªº source(¨Ó·½) ¦a§}ªº½t¬G¡C
¦h«¦øªA¾¹
¦³®ÉÔ¡M±z·|·Q¥h§ïÅܨº¨Ç¶i¤J±zºô¸ôªº«Ê¥]¤§¸ô¦V¡C³o³Ì±`¬O¦]¬°(¦p
¤Wz)±z¥u¦³¤@Ó IP ¦a§}¡M¦ý±z«o·QÅý§O¤H¯à°÷³s±µ¨ì `¯u¹ê' IP ¦a§}
«á±ªº¥D¾÷¥h¡C¦pªG±z«¼g³o¨Ç¤º°e«Ê¥]ªº¥Øªº¦a§}¡M³o¼Ë±z´N¥i¥HºÞ²z
¥¦Ì¤F¡C
¤@Ó±`¨£ªºÅܰʬOt¸ü¤À¾á(load-sharing)¡M¤]´N¬O¦b¤@²Õ¾÷¾¹¤W±¬°«Ê
¥]°µ¬M¹ï(mapping)ªº°Ê§@¡C³oÃþ«¬ªº NAT ¡M¦b¥H«eªºªº Linux ª©¥»¤¤
¤]´N³QºÙ¬° port-forwarding ¡C
³z©ú¥N²z(Transparent Proxying)
¦³®ÉÔ¡M±z©Î³\·Qn¨C¤@Ó¸g¹L±zªº Linux ¥D¾÷ªº«Ê¥]°e¦Ü¥D¾÷¥»¨ªº
¤@Óµ{¦¡¥h¡C³o´N»Ýn¶i¦æ³z©ú¥N²zªº°Ê§@¤F¡R¤@Ó¥N²z´N¬O¤@Ó¦ì©ó±z
ªººô¸ô©M¥~³¡ºô¸ôªºµ{¦¡¡M¬°©¼¦¹Âù¤èt°_·¾³qªº¥ô°È¡C¦Ó©Ò¿×ªº³z©ú¡M
«h¬O¦]¬°±zªººô¸ô¬Æ¦ÜµL¶·ª¾¹D¦b©M¤@Ó¥N²z¹ïÁ¿¡M·íµM¤F¡M°£«D¥N²z¤£
¦A¤u§@¤F§a¡C
Squid ¥i¥H°t¸m¦¨³o¼Ëªº¤u§@¤è¦¡¡M³o´N¬O¦b¹L©¹ªº Linux ª©¥»¤¤©Ò¿×
ªº«¾É¦V(redirection)¡N©Î³z©ú¥N²z¤F¡C
3. ¨âºØÃþ«¬ªº NAT
§Ú±N NAT ¤À¬°¨âºØ¤£¦PªºÃþ«¬¡R Source NAT (SNAT) »P Destination NAT
(DNAT)
Source NAT ´N¬O±z±N§ïÅܲĤ@Ó«Ê¥]ªº¨Ó·½¦a§}¡R¨Ò¦p¡M±z¬°¶Ç¤Jªº³s½u°µ
caching ªº°Ê§@¡CSource NAT ¥Ã»··|¦b«Ê¥]¶Ç¥Xºô½u¤§«e´N°µ¦n post-routing
ªº°Ê§@¡C«Ê¥]°°¸Ë(Masquerading)´N¬O¤@Ó SNAT ¯S¨Ò¡C
Destination NAT ´N¬O±z±N§ïÅܲĤ@Ó«Ê¥]ªº¥Øªº¦a¦a§}¡R¨Ò¦p±zn¬°¶Ç¥Xªº³s
½u°µ caching ªº°Ê§@¡CDestination NAT ¥Ã»··|¦b«Ê¥]±qºô½u¶i¤J¤§«á´N°¨¤W°µ
¦n pre-routing ªº°Ê§@¡CPort forwarding¡Nt¸ü¤À¾á¡N¥H¤Î³z©ú¥N²z¡M³£ÄÝ©ó
DNAT¡C
4. ±q 2.0 ¨ì 2.2 ®Ö¤ßªº§Ö³tÂàÅÜ
«D±`©êºp¡M°²¦p±z¤´µM¦£©ó±q 2.0(ipfwadm) ¨ì 2.2(ipchains) ªºÂ૬ªº¸Ü¡C¤£
¹L¡M³o¤]¬Oӳ߼~°Ñ¥bªº®ø®§°Õ¡C
º¥ý¡M±z¥i¥H»´©öªº¤@¦p©¹©õ¦a¨Ï¥Î ipchains ©M ipfwadm¡Cn³o¼Ë°µªº¸Ü¡M±z
»Ýn±N³Ì·sªº netfilter ®M¥ó¤¤ªº `ipchains.o' ©Î `ipfwadm.o' ®Ö¤ß¼Ò²Õ¸ü
¤J¡C¥¦Ì¬O¬Û¤¬±Æ¥¸ªº(±zÀ³¤wÀòĵ§i¤F)¡M¦P®É¤]¤£¯à©M¨ä¥¦ netfilter ¼Ò²Õ¦P
®É¾ã¦X¦b¤@°_¡C
¤@¥¹¨ä¤¤¤@Ó¼Ò²Õ³Q¸ü¤J¡M±z´N¥i¥H¦p±`¨Ï¥Î ipchains ©M ipfwadm ¤F¡M¦ý¤]¦³
¦p¤U¤@¨ÇÅܤưաR
* ¥Î ipchains -M -S¡M©Î¬O ipfwadm -M -s §@°°¸Ë¹O®É±N¤£¦A¦³®Ä¡C¦]¬°¹O
®É³]©w¤w¸g²¾¦Ü·sªº NAT ¬[ºc¤¤¡M©Ò¥H³o¸Ì¤]´N¨S¤°»ò©Ò¿×¤F¡C
* ¦b°°¸Ë¦Cªí¤¤Åã¥Üªº ini_seq¡Ndelte¡N©M previous_delta Äæ¦ì¡M±N¥Ã»·¬°
¹s¡C
* ¦P®ÉÂk¹s(zeroing)©M¦C¥Ü°O¼Æ¾¹(counter)ªº `-Z -L' ¤wµL§@¥Î¡R°O¼Æ¾¹±N
¤£¯à¦AÂk¹s¤F¡C
Hacker ̤´n¯d·N¤§³B¡R
* ±z²{¦b¥i¥H®¹¸j 61000-65095 ¤§¶¡ªº°ð¤f¡M¦ÓµL»Ý²z·|±z¬O§_¨Ï¥Î«Ê¥]°°¸Ë
§Þ³N¡C¦b¹L¥h¡M«Ê¥]°°¸Ëµ{¦¡·|§â¦¹È°ì¤ºªº©Ò¦³ªF¦è®·Àò¶i¨Ó¡M©Ò¥H¨ä¥¦
µ{¦¡´N¤£¥i¥Î¤§¤F¡C
* ¦Ü©ó(©|¥¼¦¨¤å¤§) getsockname ¯}¸Ñ¡M¦b¹L¥h¡M³z©ú¥N²zµ{¦¡¥i¥H§ä¥X¨º¨Ç
¤£¦A¦³®Ä³s½u¤§¯u¥¿¥Øªº¦a¡C
* ¦Ü©ó(©|¥¼¦¨¤å¤§) bind-to-foreign-address ¯}¸Ñ¡M¦P¼Ë©|¥¼¹ê§@¡Q³o¦b¹L
¥h¥Î¥H§¹µ½³z©ú¥N²zªººc·Q¡C
4.1 ±Ï©R°Ú¡T§Ú¥u·Qn«Ê¥]°°¸Ë¦Ó¤w¡T
¨S¿ù¡M³o¤]¬O¤j¦h¼ÆªB¤Í¤§»Ý¡C¦pªG±z¥Î PPP ¼·±µÀò±oªº°ÊºA IP (¦pªG±z¤£¤F
¸Ñªº¸Ü¡M¨º±zÀ³¸Ó¬O¤F)¡M±z©Î³\¥u·Q³æ¯Â§i¶D±zªº¥D¾÷Åý©Ò¦³¨Ó¦Û±z¤º³¡ºô¸ôªº
«Ê¥]¡M¬Ý°_¨Ó¦p¨Ó¦Û¸Ó PPP ¼·±µ¥D¾÷¤@¼Ë¡C
# Load the NAT module (this pulls in all the others).
modprobe iptable_nat
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
µù¡R±z³o¸Ì¨Ã¨S°µ¥ô¦ó«Ê¥]¹LÂo¡R¦pnªº¸Ü¡M½Ð°Ñ¦Ò Packet Filtering HOWTO¡R
±N NAT ©M«Ê¥]¹LÂo¦X¨Ö°_¨Ó´N¬O¤F¡C
4.2 ¨º ipmasqadm «ç»ò¤F¡S
³oÓ¨ä¹ê¨ú¨M©ó¨Ï¥ÎªÌ¦Ó¤w¡M©Ò¥H§Ú¨Ã¤£¬O«Ü¬°¦V«áÝ®e°ÝÃD¦Ó¾á¤ß¡C±z¥i¥H³æ
¯Â¨Ï¥Î iptables -t nat °µ port forwarding ªº°Ê§@¡C¨Ò¦p¡M¦b Linux 2.2 ±z
©Î³\¤w¸g³o¼Ë°µ¤F¡R
# Linux 2.2
# Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80
ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80
¦Ó²{¦b¡M¦p¦¹«h¥i¡R
# Linux 2.4
# Append a rule pre-routing (-A PREROUTING) to the NAT table (-t nat) that
# TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080)
# have their destination mapped (-j DNAT) to 192.168.1.1, port 80
# (--to 192.168.1.1:80).
iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 \
-j DNAT --to 192.168.1.1:80
°²¦p±z·QÅý³o±ø³W«h¦P®Éק糧¾÷³s½uªº¸Ü(¦p¡M§Y¨Ï¦b NAT ¥D¾÷¥»¨¡Mn³s±µ
1.2.3.4 ªº 8080 °ð¤f¤§ telnet ³s½u¡M·|À°±z³s±µ¦Ü 192.168.1.1 ªº 80 °ð
¤f)¡M±z´N¥i¥H´¡¤J¬Û¦Pªº³W«h¦Ü OUTPUT Ã줤(¥¦¥u¾A¥Î©ó¥»¾÷¶Ç¥Xªº«Ê¥])¡R
# Linux 2.4
iptables -A OUTPUT -t nat -p tcp -d 1.2.3.4 --dport 8080 \
-j DNAT --to 192.168.1.1:80
5. ±±¨îþ¨Çn NAT
±z»Ýn«Ø¥ß¤@¨Ç NAT ³W«h¡M¨Ó§i¶D®Ö¤ßþ¨Ç³s½un§ïÅÜ¡M¦P®É¦p¦ó¥h§ïÅÜ¥¦Ì¡C
n°µ¨ì³oÂI¡M§ÚÌ»Ýn¤@Ó«D±`¦h¥Î³~ªº iptables ¤u¨ã¡M¦P®É«ü©w `-t nat'
¿ï¶µ§i¶D¥¦¥hקï NAT ªí®æ¡C
NAT ³W«hªºªí®æ§t¦³¤TÓ¦Cªí¥s°µ`chains' ¡R¨C¤@±ø³W«h³£«ö¶¶§ÇÀˬd¡Mª½¨ì§ä
¨ì¤@Ӭ۲Ūº¤ñ¹ï¡C¸Ó¤TÓÃì´N¥s°µ PREROUTING (¹ï Destination NAT ¨Ó»¡¡M
¦]¬°«Ê¥]º¥ý¬O¶Ç¤Jªº)¡NPOSTROUTING (¹ï Source NAT ¨Ó»¡¡M¦]¬°«Ê¥]¬OÂ÷¶}
ªº)¡N¥H¤Î OUTPUT (¹ï Destination NAT ¨Ó»¡¡M¬O«ü¨º¨Ç¥Ñ¥»¾÷²£¥Íªº«Ê¥])¡C
°²¦p§Ú°÷ÃÀ³N¤Ñ¥÷ªº¸Ü¡M¤U±ªº¹Ï¥Ü±N·Ç½T¼ÒÀÀ¥X¤W±©Ò»¡ªº·§©À¡C
_____ _____
/ \ / \
PREROUTING -->[Routing ]----------------->POSTROUTING----->
\D-NAT/ [Decision] \S-NAT/
| ^
| __|__
| / \
| | OUTPUT|
| \D-NAT/
| ^
| |
--------> Local Process ------
©ó«ezªº¨C¤@ÂI¡M·í¤@Ó«Ê¥]³q¹L§ÚÌn¬d¬Ýªº¬ÛÃö³s½u¤§®É¡M¦pªG¥¦¬O¤@Ó·s
«Ø³s½u¡M§Ú̬d¬Ý¥¦¦b NAT ªí®æ¸Ì¹ïÀ³ªºÃì¡M¬Ý¬Ý¯à¹ï¤§°µ¨Ç¤°»ò°Ê§@¡C¦Ó¥Ñ¦¹
Àò±oªºµª®×´NÀ³¥Î©ó¸Ó³s½u±N¨Óªº©Ò¦³«Ê¥]¡C
5.1 ¥Î iptables °µÂ²³æªº¿ï¾Ü
iptables ¨ã¦³¦p«á©Ò¦Cªº³\¦h¼Ð·Ç¿ï¶µ¡C©Ò¦³¨º¨Ç±aÂù´î¸¹ªº¿ï¶µ³£¬O¥i¥HÁY¼g
ªº¡M¥un iptables ¤´¥i±N¤§»P¨ä¥¦¥i¯àªº¿ï¶µ°Ï¤À¶}¨Ó´N¦æ¡C¦pªG±zªº®Ö¤ß¥H
¼Ò²Õ§Î¦¡¨Ó¤ä´© iptables ¡M±z´N»Ýnº¥ý¸ü¤J ip_tables.o ¡R `insmod
ip_tables'¡C
³o¸Ì¡M³Ì«nªº¤@ӿﶵ¬Oªí®æ¿ï¾Ü¿ï¶µ¡R `-t' ¡C¹ï©ó©Ò¦³ªº NAT ¾Þ§@¡M±z·|
·Q¥Î `-t nat' ¨Óªí¥Ü NAT ªí®æ¡C²Ä¤GÓ«nªº¿ï¶µ¬O¥H `-A' ¼W¥[¤@±ø·s³W«h
¦ÜÃ쪺¥½ºÝ (¦p¡R`-A POSTROUTING')¡M©Î¥H `-I' ´¡¤J¦Ü«eºÝ(¦p¡R`-I
PREROUTING')¡C
±z¥i¥H«ü©w±zn°µ NAT ªº«Ê¥]¨Ó·½¦a§} (`-s' ©Î `--source') »P¥Øªº¦a
(`-d' or `--destination')¡C³o¨âӿﶵ«á±¥i¥H«á±µ¤@Ó³æ¤@ªº IP ¦a§} (¦p
¡R192.168.1.1)¡M©Î¤@Ó¦WºÙ (¦p¡R www.kernelnotes.org)¡M©Î¤@Óºô¸ô¦a§}
(¦p¡R192.168.1.0/24 ©Î 192.168.1.0/255.255.255.0)¡C
±z¤]¥i¥H«ü©wn¤ñ¹ïªº¶Ç¤J (`-i' ©Î `--in-interface') ©M¶Ç¥X (`-o' or
`--out-interface') ¬É±¡M¦ýþ¤@Ӭɱ¥i¥H«ü©w«h¨ú¨M©ó±zn±N³W«h¼g¤Jþ¤@
ÓÃì¥h¡R¹ï©ó PREROUTING ¡M±z¥i¥H¿ï¾Ü¶Ç¤J¬É±¡M¦ý¹ï©ó POSTROUTING (¥H¤Î
OUTPUT)¡M±z¥i¥H¿ï¾Ü¶Ç¥X¬É±¡C¦pªG±z¤£¤p¤ß¥Î¿ù¤F¡M iptables ´N·|µ¹±z¤@Ó
¿ù»~¡C
5.2 Ãö©ó¬D¿ïþ¨Ç«Ê¥]¨Ó mangle ªº²Ó¸`
§Ú«e±¤w¸g»¡¹L¡M±z¥i¥H«ü©w¨Ó·½©M¥Øªº¦a¦a§}¡C¦pªG±z¬Ù²¤¨Ó·½¦a§}ªº¿ï¶µ¡M
¨º»ò´Nªx«ü¥ô¦ó¨Ó·½¡C¦pªG±z¬Ù²¤¥Øªº¦a¦a§}¡M«hªx«ü©Ò¦³¥Øªº¦a¦a§}¡C
±zÁÙ¥i¥H«ü©w¤@Ó¯S©w¨ó©w (`-p' or `--protocol')©O¡M¨Ò¦p TCP ©Î UDP¡R¥u
¦³³o¨Ç¨ó©wªº«Ê¥]¤~²Å¦X¸Ó³W«h¡C¨ä¥Dnì¦]¬O¡M«ü©w tcp ©Î udp ¨ó©w¥i¥H¤¹
³\§ó¦h¿ï¶µ¡R¤×¨ä¬O `--source-port' »P `--destination-port' ¿ï¶µ (ÁY¼g¬°
`--sport' »P `--dport' )¡C
³o¨Ç¿ï¶µ¥i¥HÅý±z«ü©w¥u¦³þ¨Ç¯S©w¨Ó·½©M¥Øªº¦a°ð¤fªº«Ê¥]¤~²Å¦X¸Ó³W«h¡C³o
¦b±zn«¾É web ½Ð¨D (TCP port 80 ©Î 8080) ¦ý¤S©È¼vÅT¨ä¥¦«Ê¥]ªº®ÉÔ¡M´N
«Ü¦n¥Î¤F¡C
³o¨Ç¿ï¶µ¥²¶·±µ¦b `-p' ¿ï¶µªº«á±(³o·|¦b¬°¸Ó¨ó©w¸ü¤J¦@¨É¨ç¦¡®w®É¦³°Æ§@
¥Î)¡C±z¥i¥H¨Ï¥Î°ð¤f¸¹½X¡M©ÎªÌ¬O¦b /etc/services Àɤ¤ªº¦WºÙ¡C
©Ò¦³³o¨Ç±z¯à¿ï¾Üªº«Ê¥]¤§¤£¦P«~½è¡M³£¸Ô²Ó¦C¦b¨ºÓ¸Ô²Ó±o¦³ÂI®£©Æªº
manual page ¤¤¤F(man iptables)¡C
6. ½Í½Ín«ç¼Ë Mangle «Ê¥]
²{¦b¡M§Ú̪¾¹D¦p¦ó¥h¬D¿ï¨º¨Ç§ÚÌn mangle ªº«Ê¥]¡C¬°¤Fn§¹µ½§Ú̪º³W«h
¡M§ÚÌ»Ýn·Ç½TµL»~ªº§i¶D®Ö¤ß¡M¤°»ò¤~¬O§ÚÌn¹ï«Ê¥]°µªº¡C
6.1 Source NAT
±z·Qn°µ Source NAT¡M¬On¥h±N³s½uªº¨Ó·½¦a§}´«¦¨§Oªº¤°»òªº¡C³o´Nn¦b¥¦³Ì
«án°e¥X¥h¤§«e¡M©ó POSTROUTING Ã줤§¹¦¨¤F¡Q³o¬O¤@Ó«D±`«nªº²Ó¸`¡M¦]¬°
¥¦·N¨ýµÛ©Ò¦³¦b Linux ¥D¾÷¥»¨¤Wªº¨ä¥¦ªF¦è (routing, packet filtering)
³£¥u¬Ý¨£¨ºÓÁÙ¨S§ïÅܪº«Ê¥]¡C¦P®É¡M³o¤]´N¬O»¡¡M`-o' (¶Ç¥X¬É±) ¿ï¶µ¥i¥H
¬£¤W¥Î³õ¤F¡C
Source NAT ¬O¥Î `-j SNAT' ¨Ó«ü©wªº¡M¦P®É¡M `--to source' «h«ü©w¤@Ó IP
¦a§}¡N©Î¤@¬q IP ¦a§}¡N¥H¤Î¤@Ó¥i°t¿ïªº°ð¤f©Î¤@¬qȰ쪺°ð¤f(¶È¾A¥Î©ó
UDP ©M TCP ¨ó©w)¡C
## Change source addresses to 1.2.3.4.
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
## Change source addresses to 1.2.3.4, ports 1-1023
# iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023
«Ê¥]°°¸Ë (Masquerading)
¦³¤@Ó Source NAT ¤§¯S¨Ò¡M¥s°µ«Ê¥]°°¸Ë¡R¥¦¥u¥Î©ó°ÊºA¤À°tªº IP ¦a§}¡M¨Ò
¦p¼Ð·Çªº¼·±µ(¦pªG¥ÎÀRºA IP ¦a§}¡M«h¨Ï¥Î«ez¤§ SNAT)¡C
±zµL»Ý©ú½T¦a±N masquerading ©ñ¶i¨Ó·½¦a§}¨º¸Ì¥h¡R¥¦±N·|¨Ï¥Î«Ê¥]¶Ç¥X¬É±
§@¬°¨Ó·½¦a§}¡C¦ý§ó«nªº¬O¡M¦pªG¸Ó³s±µ(link)Â_±¼ªº¸Ü¡M¨º»ò³s½u
(connections¡MµL¥iÁקKªº±N¥¢±¼) ¤]·|³Q§Ñ±¼¡M·í³s½u¥Î·sªº IP ¦a§}¦^¨Óªº
®ÉÔ´N·|¦³°ÝÃD¤F¡C
## Masquerade everything out ppp0.
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
6.2 Destination NAT
¤@¥¹«Ê¥]¶i¤J¡M·|¥Ñ PREROUTING Ã짹¦¨³B²z¡Q¤]´N¬O»¡¡M°£¤F¸Ó¥D¾÷¦Û¤vªº¨ä
¥¦ªF¦è(½Ñ¦p¡R¸ô¥Ñ¡N«Ê¥]¹LÂo) ³£±N«Ê¥]¬Ý¦¨n°e¨ì `¯u¥¿' ¥Øªº¦a¡C¥t¥~¡M¨º
Ó `-i' (¶Ç¤J¬É±) ¿ï¶µ¤]¥i¥H¦b³o¸Ì¨Ï¥Î¡C
»Ýnק糧¾÷²£¥Íªº«Ê¥]¤§¥Øªº¦aªº¸Ü¡M¨º»ò OUTPUT Ãì´N¥i¥H¥Î¤W¤F¡M¤£¹L³o
¨Ã¤£±`¸I¨ì¡C
Destination NAT ¥²¶·¥H `-j DNAT' ¨Ó«ü©w¨Ï¥Î¡M¦P®É¥Î `--to destination'
¿ï¶µ«ü©w¤@Ó IP ¦a§}¡N©Î¤@¬q IP ¦a§}¡M¥H¤Î¥i¥H°t¿ï¤@Ó°ð¤f©Î¤@¬q°ð¤fÈ
°ì(¥u¯à¥Î©ó UDP ©M TCP ¨ó©w¤W±)¡C
## Change destination addresses to 5.6.7.8
# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8
## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8-5.6.7.10
## Change destination addresses of web traffic to 5.6.7.8, port 8080.
# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 \
-j DNAT --to 5.6.7.8:8080
## Redirect local packets to 1.2.3.4 to loopback.
# iptables -t nat -A OUTPUT -d 1.2.3.4 -j DNAT --to 127.0.0.1
«¾É¦V (Redirection)
¦b Destination NAT ¦³¤@Ó¯S§Oªº±¡§Î¡R¥¦¬O¤@Ó²³æªº«K§Q¡M§¹¥þµ¥¦P©óµ¹¶Ç
¤J¬É±¦a§}°µ DNAT ¤@¼Ë¡C
## Send incoming port-80 web traffic to our squid (transparent) proxy
# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
-j REDIRECT --to-port 3128
6.3 ¶i¤@¨Bªº¬M¹ï(Mappings)
ÁÙ¦³³\¦h NAT ¤W±ªº¸Ñ¨M¤è®×¬O¤j¦h¼Æ¤HµL»Ý¥Î¨ìªº¡C³o¸Ì¤£§«©M¨º¨Ç¦³¿³½ìªº
ªB¤Í±´°Q¤@¤U¡R
¦P¤@½d³ò¤ºªº½Æ¦X¦a§}(Multiple Addresses)¤§¿ï¾Ü¡C
¦pªG±z¤w¸g«ü©w¤F¤@¬q IP ¦a§}¡M ¦Ó IP ¦a§}ªº¨Ï¥Î¿ï¾Ü¬O°ò©ó¾÷¾¹©Òª¾³s½u¥Ø
«e³Ì¤Ö¨Ï¥Î¤§ IP¡C¥¦¥i¥H´£¨Ñ³Ìì©lªº¥¿Åt¸ü(load-balancing)¡C
«Ø¥ßªÅ NAT ¬M¹ï
±z¥i¥H¨Ï¥Î `-j ACCEPT' ¥Ø¼Ð¨ÓÅý¤@Ó³s½u³q¹L¡M¦Ó¶¹L NAT ªº³B²z¡C
¼Ð·Çªº NAT ¦æ¬°(Behaviour)
¹w³]ªº¦æ¬°¬O¦b¨Ï¥ÎªÌ¨î©wªº³W«h¨î¤º¡MºÉ¥i¯à¤Öªº§ïÅܳs½u¡C´«¦Ó¨¥¤§¡M«D
¤£±o¤w¤£n«¬M¹ï(remap)°ð¤f¡C
µ´¹ï¨Ó·½°ð¤f¬M¹ï
¦pªG¨ä¥¦³s½u¤w¸g³Q¬M¹ï¨ì·sªº³s½u¡M´Nºâ¹ï©ó¤@ÓµL»Ý NAT ªº³s½u¨Ó»¡¡M¨Ó·½
°ð¤fªºÂà´«¦³®É©Î¬O¥²¶·µ´¹ï¦s¦bªº¡CÅý§ÚÌ°²³]¤@Ó«Ê¥]°°¸Ëªº±¡§Î¡M³o¤w¸g
«D±`´¶¹M¤F¡R
1. ¤@Óºô¶³s½u¥Ñ¤@¥x 192.1.1.1 ªº¾÷¾¹±q port 1024 «Ø¥ß¡Mn³s±µ
¨ìwww.netscape.com port 80¡C
2. ¥¦³Q«Ê¥]°°¸Ë¥D¾÷¥H¨ä¦Û¤vªº IP ¦a§}(1.2.3.4)¶i¦æ°°¸Ë¡C
3. ¸Ó«Ê¥]°°¸Ë¥D¾÷¹Á¸Õ¥Ñ 1.2.3.4 (¥¦ªº¥~³¡¬É±¦a§}) port 1024 ¨Ó°µ¤@Ó
ºô¶³s½u¦Üwww.netscape.com port 80¡C
4. µM«á NAT µ{¦¡§ïÅܲĤGÓ³s½uªº¨Ó·½°ð¤f¬° 1025¡M©Ò¥H³o¨âÓ³s½u¤£¦Ü©ó
¬Û½Ä(clash)¡C
·í³oÓµ´¹ï¨Ó·½¬M¹ï¦s¦b¤§®É¡M°ð¤f³Q©î¤À¬°¤TÓµ¥¯Å¡R
* 512 ¥H¤Uªº°ð¤f
* 512 ¨ì 1023 ¤§¶¡ªº°ð¤f
* 1024 ¥H¤Wªº°ð¤f
¥ô¦ó¤@Ó°ð¤f³£¤£·|³Qµ´¹ï¬M¹ï¨ì¤£¦Pªºµ¥¯Å¥h¡C
·í NAT ¥¢®Ä®É·|«ç¼Ë¡S
¦pªG¨S¦³¿ìªk¦p¥Î¤án¨D¨º¼Ë¿W¤@µL¤G¦a¬M¹ï³s½u¡M¨º»ò³s½u´N·|³Q¾×±¼¡C·í¤@
Ó«Ê¥]¤£¯à°÷¬É©w¬°¥ô¦ó³s½uªº®ÉÔ¡Mµ²ªG¤]¤@¼Ë¡M¦]¬°¥¦Ì¥iºâ¬O·î§Îªº¡M©Î
ªÌ¬O¸Ó¾÷¾¹°O¾ÐÅé¯Ó¥ú¤F¡M½Ñ¦p¦¹Ãþ¡C
½Æ¦X¬M¹ï¡N«Å|¡N©M¬Û½Ä(clash)
±z¥i¥H³]©w NAT ³W«h¦b¦P¤@Ó½d³ò¤§¤W¬M¹ï«Ê¥]¡QNAT µ{¦¡¨¬¥HÁo©úªº¥hÁקK¬Û
½Ä¡C¤ñ¤è»¡¡M¥Î¨â±ø³W«h±N 192.168.1.1 ©M 192.168.1.2 ³o¨âÓ¨Ó·½¦a§}¤À§O
¬M¹ï¨ì 1.2.3.4¡M¬O§¹¥þ¥i¦æªº¡C
¦A¨Ó¡M±z¥i¥H¬M¹ï¨ì¯u¹êªº¡N¤w¥Îªº IP ¦a§}¡M¥un³o¨Ç¦a§}³q¹L³oÓ¬M¹ï¥D¾÷
´N¦æ¡C©Ò¥H¡M¦pªG±zÀò±o¤@Óºô¸ô(1.2.3.0/24)¡M¦ý¦³¤@Ó¤º³¡ºô¸ô¨Ï¥Î³o¨Ç¦a
§}¡M¦Ó¥t¤@ӨϥΨp¦³¦a§} 192.168.1.0/24 ¡M±z´N¥i¥H NAT ¨º¨Ç
192.168.1.0/24 ªº¨Ó·½¦a§}¨ì 1.2.3.0 ºô¸ô¤§¤W¡M¦ÓµL»Ý¾á¤ß¬Û½Ä¡R
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \
-j SNAT --to 1.2.3.0/24
³o¦P¼Ë¾A¥Î©ó¨º¨Ç NAT ¥D¾÷¦Û¤v¨Ï¥Îªº¦a§}¡R³o¨ä¹ê´N¬O«Ê¥]°°¸Ë¦p¦ó¤u§@ªº
¤F(¤À¨É°°¸Ë«Ê¥]¦a§}©M¨Ó¦Û¥D¾÷¥»¨«Ê¥]¤§ `¯u¹ê' ¦a§}¡C )
§ó¬ÆªÌ¡M±zÁÙ¥i¥H¬M¹ï¬Û¦Pªº«Ê¥]¨ì³\¦h¤£¦Pªº¥Ø¼Ð(targets)¤W¥h¡M¦Ó¥B¥¦Ì³£
¬O¦@¨Éªº¡C¨Ò¦p¡M¦pªG±z¤£·Q¬M¹ï¥ô¦óªF¦è¨ì 1.2.3.5 ¤W¥h¡M±z¥i¥H³o¼Ë°µ¡R
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \
-j SNAT --to 1.2.3.0-1.2.3.4 --to 1.2.3.6-1.2.3.254
§ïÅÜ¥»¾÷²£¥Íªº³s½u¤§¥Øªº¦a
¦pªG¥»¾÷²£¥Íªº«Ê¥]¤§¥Øªº¦a§ïÅܤF(¨Ò¦p¡M¥Î OUTPUT Ãì)¡M¦Ó³o¼Ë·|¾ÉP«Ê¥]
¥Ñ¤£¦Pªº¬É±°e¥X¥h¡M³o¼Ë¨Ó·½¦a§}¤]¸òµÛÅܬ°¨ºÓ¬É±¡CÁ|¨Ò¤l»¡¡M§ïÅܤ@Ó
Àô°j(loopback)«Ê¥]¤§¥Øªº¦a¥Ñ eth0 °e¥X¡M·|Åý¨Ó·½¦a§}¤]¥Ñ 127.0.0.1 Åܦ¨
eth0 ªº¦a§}¡Q¦Ó¤£¹³¨ä¥¦¨Ó·½¦a§}¬M¹ï¨º¼Ë¡M³o¬O¥ß§Y§¹¦¨ªº¡C·íµM¡M©Ò¦³³o¨Ç
¬M¹ï¦b¦^À³«Ê¥]¶i¤J®É¬OÄA˹L¨Óªº¡C
7. ¯S®í¨ó©w
¦³¨Ç¨ó©w¬O¨Ã¤£·Qn°µ NAT ªº¡C¹ï©ó¨C¤@Ó³o¼Ëªº¨ó©w¦Ó¨¥¡M¦³¨âÓ©µ¦ù³]
©w(extension)¬O¥²¶·n¼g²M·¡ªº¡G¤@Ó¬OÃö©ó¨ó©w¤§³s½u°lÂÜ¡M¥t¤@ÓÃö©ó¹ê»Ú
ªº NAT¡C
¦b netfilter µo¦æ®M¥ó¸Ì±¡M¦³¤@¨ÇÃö©ó ftp ªº²{¦æ¼Ò²Õ
¡Rip_conntrack_ftp.o »P ip_nat_ftp.o ¡C¦pªG±z§â³o¨Ç´¡¤J¨ì±zªº®Ö¤ß¸Ì±(
©Î±z¥Ã¤[©Êªº½sĶ¥¦Ì)¡M¨º»òn¦b ftp ³s½u¤W°µ¥ô¦óºØÃþªº NAT ³£¬O¥i¦æªº¡C
¦pªG±z¤£³o¼Ëªº¸Ü¡M¨º±z¥i¥H¨Ï¥Î³Q°Ê¼Ò¦¡ ftp¡M¤£¹L¦pªG±zn°µ¤@¨Ç°Ê§@¬Æ©ó
²³æ Source NAT ªº¸Ü¡M³o´N¥i¯à¤£¨º»ò¥i¾a¤F¡C
8. NAT ªº¤@¨Ç¨î (caveats)
¦pªG¦b¤@Ó³s½u¤W°µ NAT¡M©Ò¦³ Âù¦V (¶Ç¥X©M¶Ç¤J) ªº«Ê¥]¡M³£¥²¶·n³q¹L
NAT ¥D¾÷¤~¦æ¡M§_«h¨Ã¤£¥i¾a¡C¤×¨ä¦b³s½u°lÂܵ{¦¡«²Õ¸H¤ù (fragments)ªº®É
Ô¡M¤]´N¬O»¡¡M¤£¦ý³s½u°lÂÜ·|¤£¥i¯à¡M¦Ó¥B±zªº«Ê¥]®Ú¥»´N¤£¯à³q¹L¡M¦]¬°¸H
¤ù·|³Q¾×¤U¡C
9. Source NAT »P¸ô¥Ñ
¦pªG±zn°µ SNAT¡M±z·|·Qn½T©w¸g¹L SNAT «Ê¥]©Ò¶Çµ¹ªº¥D¾÷·|±N¦^À³°e¦^µ¹
NAT ¥D¾÷¡C¨Ò¦p¡M¦pªG±z¬M¹ï¬Y¨Ç¶Ç¥X«Ê¥]¨ì¨Ó·½¦a§} 1.2.3.4 ¤§¤W¡M¨º»ò¥~³¡
ªº¸ô¥Ñ¾¹´N¥²¶·ª¾¹Dn±N¦^À³«Ê¥](¥Øªº¦a¬° 1.2.3.4 )°e¦^µ¹¸Ó¥D¾÷¡C³o¥i¥H¥Î
¦p¤U¤èªk°µ¨ì¡R
1. ¦pªG±zn¦b¥D¾÷¦Û¤vªº¦a§}(¸ô¥Ñ©M¨ä¥¦©Ò¦³¹B§@¬Ò¥¿±`)¤W±°µ SNAT¡M±zµL
»Ý°µ¥ô¦ó°Ê§@¡C
2. ¦pªG±zn¦b¤@Ó¦b¥»¾÷ºô¸ô¤W©|¥¼¨Ï¥Îªº¦a§}°µ SNAT(¨Ò¦p¡M¬M¹ï¨ì¦b
1.2.3.0/24 ºô¸ô¤Wªº¤@Ó¥i¥Î IP 1.2.3.99)¡M±zªº NAT ¥D¾÷´N»Ýn¦^À³Ãö
©ó¸Ó¦a§}ªº ARP ½Ð¨D¡M¤@¦p¥¦¦Û¤v¥»¨ªº¤@¼Ë¡R³Ì²³æªº¤èªk´N¬O«Ø¥ß IP
alias¡M¨Ò¦p¡R
# ip address add 1.2.3.99 dev eth0
3. ¦pªG±zn¦b¤@Ó§¹¥þ¤£¦Pªº¦a§}¤W°µ SNAT¡M±z´Nn½T©w SNAT «Ê¥]©è¹Fªº¾÷
¾¹¯à°÷¸ô¥Ñ¦^¸Ó NAT ¥D¾÷¡C¦pªG NAT ¥D¾÷¬O¥¦Ìªº¹w³]¹h¹D¾¹ªº¸Ü¡M¬O¥i
¥H°µ¨ìªº¡M§_«h¡M±z´Nn¼s§i(advertize )¤@Ó¸ô¥Ñ(¦pªG¶]¸ô¥Ñ¨ó©wªº¸Ü)
¡M©Î¬O¤â¤uªº¦b¨C¤@¥x°Ñ»P¾÷¾¹¤W¼W¥[¸ô¥Ñ¡C
10. ¦b¦P¤@ºô¸ô¤Wªº Destination NAT
¦pªG±zn°µ portforwarding ¦^¨ì¦P¤@Óºô¸ô¡M±zn½T©w«e¦V©M¦^À³«Ê¥]Âù¤è³£
¸g¹L¸Ó NAT ¥D¾÷(³o¼Ë¥¦Ì¤~¯à³Qקï)¡CNAT µ{¦¡±q²{¦b¶}©l(2.4.0-test6¥H
«á)¡M·|¾×±¼«á±±¡§Î©Ò²£¥Íªº¶Ç¥X ICMP «¾É¦V¡R¨º¨Ç¤w¸g NAT ªº«Ê¥]¥H¥¦©Ò
¶i¤Jªº¬Û¦P¬É±¶Ç¥X¡M¦Ó±µ¦¬ºÝ¦øªA¾¹¤´¹Á¸Õª½±µ¦^À³¨ì«È¤áºÝ(¤£»{¥i¸Ó¦^À³)
¡C
¸g¨åªº±¡§Î¬O¤º³¡¤Hû¹Á¸Õ³s±µ¨ì±zªº `¤½¦³(public)' ºô¯¸¦øªA¾¹¡M¹ê»Ú¤W¬O
±q¤½¦³¦a§}(1.2.3.4) DNAT ¨ì¤@Ó¤º³¡ªº¾÷¾¹(192.168.1.1)¥h¡M´N¹³³o¼Ë¡R
# iptables -t nat -A PREROUTING -d 1.2.3.4 \
-p tcp --dport 80 -j DNAT --to 192.168.1.1
¤@Ó¤èªk¬O¶]¤@¥x¤º³¡ DNS ¦øªA¾¹¡M¥¦ª¾¹D±zªº¤½¦³ºô¯¸ªº¯u¥¿(¤º³¡) IP ¦a§}
¡M¦Ó±N¨ä¥¦½Ð¨DÂà¶Çµ¹¥~³¡ªº DNS ¦øªA¾¹¡C´«¦Ó¨¥¤§¡MÃö©ó±zºô¯¸¦øªA¾¹ªº°O¿ý
·|¥¿½T¦aÅã¥Ü¬°¤º³¡ IP ¦a§}¡C
¦Ó¥t¤@Ó¤èªk¬O¦P®ÉÅý³o¥x NAT ¥D¾÷±N¸Óµ¥³s½u¤§¨Ó·½ IP ¦a§}¬M¹ï¬°¥¦¦Û¤vªº
¦a§}¡M§ÚÌ¥i¥H¹³¦p¤U¨º¼Ë°µ(°²³] NAT ¥D¾÷¤§¤º³¡ IP ¦a§}¬°
192.168.1.250)¡R
# iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \
-p tcp --dport 80 -j SNAT --to 192.168.1.250
¦]¬° PREROUTING ³W«h¬O³Ì¥ý°õ¦æªº¡M¹ï¤º³¡ºô¯¸¦øªA¾¹¦Ó¨¥¡M«Ê¥]´N¤w¸g³Q©w
¦V¦n¤F¡R§ÚÌ¥i¥H¤º©w¦nþÓ¬°¨Ó·½ IP ¦a§}¡C
11. ·PÁÂ
º¥ý·PÁ¦b§Ú¤u§@´Á¶¡¬Û«H netfilter ªººc·Q¨Ã¤ä«ù§Úªº WatchGuard ©M
David Bonn¡C
¥H¤Î©Ò¦³¨ä¥LÀ°§Ú«ü¥¿ NAT ¤§¤£¨¬ªºªB¤Í¡M¤×¨ä¬O¨º¨ÇŪ¹L§Úªº¤é°Oªº¡C
Rusty.
References
1. http://netfilter.filewatcher.org/
2. http://www.samba.org/netfilter
3. http://netfilter.kernelnotes.org/
4. http://lists.samba.org/
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
f8eb492b80dedd2f6cd33cf45dfc65b6
>
files
>
43
