SNAT rule in NAT devices in the outgoing packets that meet masquerading (masquarding) and SNAT (Source NAT) is a similar concept as masquerading and SNAT outgoing packets via NAT devices to change the source IP address with the specified IP packet If the NAT device changes the source address of the packet to a predefined IP. usually the source IP NAT device's IP address can be used.
How SNAT works through an example let's look at the network configuration below will be assumed equal.
(SNAT installation) + --------- +
IP: FWEXT | eth0 eth1 | IP: FWINT
- + --------- / / ---------------- | | ----------- + ------ ---------
External network | | |
+ --- + --- + + --------- + + ---- + ----- +
| | Firewall | |
| | | |
+ ------- + + ---------- +
Web server (IP: EXTWEB) local PC (192.168.1.1)
GW: FWINT
SNAT is set in the above network configuration on the firewall if you do not, the local PC can connect to an external web server. Local PC's IP is a private IP can be routed over the Internet and private IP because If SNAT is set in the firewall, the story is different. SNAT how the local PC so that you can connect to external Web server, let's look at how.
Send the packet to the local PC to connect to the external Web server. In this case, the packet's source IP 192.168.1.1, and the destination IP will be EXTWEB because it is assigned to the local PC's default gateway FWINT packet is forwarded to the firewall. Firewall packet through the normal routing process external interface passed. configuration As you can see from the firewall SNAT external interface is set. exit just before the packets on the external interface, the source IP of the firewall external IP (FWEXT) to change is come true. (SNAT routing after careful let) after the packet will be passed to the web server and the destination IP packet is received, the web server if you send a response to the packet source IP EXTWEB will FWEXT a Web server's response packet, the firewall being forwarded to the firewall will see the source IP, source port, destination port information SNAT that was this packet is a packet of response, so the firewall 192.168.1.1 source IP FWEXT to change after (the process of de -SNAT) is called routing, and finally the packet is forwarded to the local PC. Local PC and an external Web server-to-server communication in this way that would be possible.
More information, implemented using the iptables is as follows. iptables-t nat-A POSTROUTING-p tcp-o eth0-j SNAT-to-source FWEXT
DNAT is the opposite concept. As its name implies, the DNAT to change the NAT device as the incoming packet's destination IP address. Usually have a server on the local LAN, and does not inform the external server's IP for load balancing purposes or to be used for through the same example above and let's look at The configuration of the network to be used in the description as follows.
+ --------- +
IP: FWEXT | eth0 eth1 | IP: FWINT
- + --------- / / ---------------- | | ----------- + ------ ---------
External network | | |
+ --- + --- + + --------- + + ---- + ----- +
| | Firewall | |
| | (DNAT install) | |
+ ------- + + ---------- +
External client (IP: EXTCLI) local web server (192.168.1.1)
GW: FWINT
As the actual address of the Web server configuration, as can be seen in FIG. Using this IP 192.168.1.1, but can not communicate with external clients private IP because routing rule does not Therefore, the Web server should look as though you are using a public IP on the outside. For this purpose, the name, the address of the web server on the server can be set to FWEXT on the Web server you want to connect to an external client eventually the FWEXT: 80 packets to send. Firewall receives the packet. Firewall to decide whether to allow the reception of this packet is received is determined by the DNAT changes the packet's destination IP address to 192.168.1.1. Thereafter, the routing process, the packet is to go the internal side of the firewall packets from the external client interface to be delivered (DNAT is done before the routing) that is passed to the Web server so it is passed to the Web server. Then, the web server sends response what happens? The web server will send a response to the external client (EXTCLI). That the local IP of the web server rather than the default gateway FWINT because it is set to the response sent by a web server eventually passed by a firewall is a firewall DNAT check the received packet information such as destination address, destination port, the packet learns that a response that was packet, the source IP of the packet to change their IP (FWEXT) to be (this is called de-DNAT) after the packet is passed to the client through eth0.
Or more, using iptables as follows: iptables-t nat-A PREROUTING - dst 1.2.3.4-p tcp - dport 80-j DNAT-to-destination 192.168.1.1
192.168.1.1-10 local web server load balancing effect 10s If you want, the above is as follows: If you change the rules. Iptables-t nat-A PREROUTING-dst 1.2.3.4-p tcp - dport 80 -j DNAT-to-destination 192.168.1.1-10
This round-robin load balancing is possible. Tenth client traffic sent first sent by the client traffic will be forwarded to the 192.168.1.1 to 192.168.1.2, the second sent by the client traffic is being passed, the traffic sent from the client to the server 192.168.1.10, the eleventh being forwarded to the 192.168.1.1 expression is
No comments:
Post a Comment