5.4. Stateless NAT and Packet Filtering

最新推荐文章于 2022-02-15 09:40:01 发布
最新推荐文章于 2022-02-15 09:40:01 发布
阅读量796 收藏
点赞数
分类专栏: 转《Guide To IP Layer Network Administration With Linux Version 0.4.4》 文章标签: input output tcp transformation service each

5.4. Stateless NAT and Packet Filtering

Because NAT rewrites the packet as it passes through the IP stack, packet filtering can become complex. With attentiveness to the addressing of the packet at each stage in its journey through the packet filtering code, you can ease the burden of writing a packet filter.

All of the below requirements can be deduced from an understanding of NAT and the path a packet takes through the kernel. Consult also the ipchains packet path as illustrated in the ipchains HOWTO to understand the packet path when using ipchains. Keep in mind when viewing the ASCII diagram that stateless NAT will always occur in the routing stage. Also consult the kernel packet traveling diagram for a good picture of a 2.4 kernel packet path.

Table 5.1, “Filtering an iproute2 NAT packet with ipchains” identifies the IP addresses on a packet traversing each of the input, forward and output chains in an ipchains installation.

Table 5.1. Filtering an iproute2 NAT packet with ipchains

Inbound to the NAT IP
ChainSource IPDestination IP
input64.70.12.210205.254.211.17
Routing Stage
forward64.70.12.210192.168.100.17
output64.70.12.210192.168.100.17
Outbound from the real IP
ChainSource IPDestination IP
input192.168.100.1764.70.12.210
Routing Stage
forward205.254.211.1764.70.12.210
output205.254.211.1764.70.12.210

A firewall implementing a tight policy (deny all, selectively allow) will require a large number of individual rules to allow the NAT packets to traverse the firewall packet filter. Assuming the configuration detailed in Example 5.1, “ Stateless NAT Packet Capture ”, the following set of chains is required and will restrict access to only port 25 [33].

Example 5.4. Using an ipchains packet filter with stateless NAT

[root@masq-gw]# ipchains -I input  -i eth1 -p tcp -l -y -s 0/0 1024:65535    -d 205.254.211.17 25 -j ACCEPT
[root@masq-gw]# ipchains -I input  -i eth1 -p tcp  ! -y -s 0/0 1024:65535    -d 205.254.211.17 25 -j ACCEPT
[root@masq-gw]# ipchains -I forward        -p tcp       -s 0/0 1024:65535    -d 192.168.100.17 25 -j ACCEPT
[root@masq-gw]# ipchains -I output -i eth0 -p tcp       -s 0/0 1024:65535    -d 192.168.100.17 25 -j ACCEPT
[root@masq-gw]# ipchains -I input  -i eth0 -p tcp  ! -y -s 192.168.100.17 25 -d 0/0 1024:65535    -j ACCEPT
[root@masq-gw]# ipchains -I forward        -p tcp       -s 205.254.211.17 25 -d 0/0 1024:65535    -j ACCEPT
[root@masq-gw]# ipchains -I output -i eth1 -p tcp       -s 205.254.211.17 25 -d 0/0 1024:65535    -j ACCEPT
[root@masq-gw]# for icmptype in /
> destination-unreachable source-quench time-exceeded parameter-problem; do
> ipchains -I input  -i eth1 -p icmp -s 0/0 $icmptype            -d 205.254.211.17 -j ACCEPT
> ipchains -I forward        -p icmp -s 0/0 $icmptype            -d 192.168.100.17 -j ACCEPT
> ipchains -I output -i eth0 -p icmp -s 0/0 $icmptype            -d 192.168.100.17 -j ACCEPT
> ipchains -I input  -i eth0 -p icmp -s 192.168.100.17 $icmptype -d 0/0            -j ACCEPT
> ipchains -I forward        -p icmp -s 205.254.211.17 $icmptype -d 0/0            -j ACCEPT
> ipchains -I output -i eth1 -p icmp -s 205.254.211.17 $icmptype -d 0/0            -j ACCEPT
> done

Please note that the formatting of the commands is simply for display purposes, and to allow for easier reading of a complex set of commands. The above set of rules is 31 individual chains. This is most certainly a complex set of rules. For further details on how to use ipchains please see the ipchains HOWTO. The salient detail you should notice from the above set of rules is the difference between the IPs used in the input and forward chains. Since packets are rewritten by the stateless NAT code in the routing stage, the transformation of the packet will by complete before the forward chain is traversed.

The first two lines cover all inbound TCP packets, the first line as a special case of the second, indicating (-l) that we want to log the packet. After successfully traversing the input chain, the packet is routed, at which point the destination address of the packet has changed. Now, we need to forward the packet from the public source address to the private (or real) internal IP address. Finally, we need to allow the packet out on the internal interface.

The next set of rules handles all of the TCP return packets. On the input rule, we are careful to match only non-SYN packets from our internal server bound for the world. Once again, the packet is rewritten during the routing stage. Now in the forward chain, the packet's source IP is the public IP of the service. Finally, we need to let the packet out on our external interface.

The next series of lines are required ICMP rules to prevent network traffic from breaking terribly. These types of ICMP, particularly destination unreachable (ICMP 3) and source quench (ICMP 4) help to ensure that TCP sessions run with optimized characteristics.

These rules are the minimum set of ipchains rules needed to support a NAT'd TCP service. This concludes our discussion of publishing a service to the world with iproute2 based NAT and protecting the service with ipchains. As you can see, the complexity of supporting NAT with iproute2 can be substantial, which is why we'll examine the benefits of inbound NAT (DNAT) with netfilter in the next section.


[33] I assume here that the user has a restrictive default policy on the firewalling device. I suggest a policy of DENY on each of the built in ipchains chains.

chinasiyu
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
一个iptables的stateless NAT模块实现
12-27
如果你在寻找Linux上配置诸如Cisco设备上的static双向NAT的方法,这个或许就是你想要的; what?你觉得它完不成PAT?是的,它不行。但是想做PAT为何不使用现有的iptables实现呢?它可以自动为你解决元组唯一性问题...
DMZ
weixin_30922589的博客
08-11 240
  DMZ是英文“demilitarized zone”的缩写,中文名称为“隔离区”,也称“非军事化区”。它是为了解决安装防火墙后外部网络的访问用户不能访问内部网络服务器的问题,而设立的一个非安全系统与安全系统之间的缓冲区。该缓冲区位于企业内部网络和外部网络之间的小网络区域内。在这个小网络区域内可以放置一些必须公开的服务器设施,如企业Web服务器、FTP服务器和论坛等。另一方面,通过这样一个DMZ...
【AWS云从业者基础知识笔记】——模块4:网络
abcgkj的博客
02-15 1618
01介绍 学习目标: 描述网络的基本概念。 描述公网络和私网的区别。 请使用真实场景解释虚拟专用网关。 用一个真实的场景来解释一个虚拟专用网(VPN)。 描述AWS直接连接的好处。 描述混合部署的好处。 描述IT策略中使用的安全层。 描述客户用于与AWS全球网络交互的服务。 02连接到AWS Amazon Virtual Private Cloud (Amazon VPC) 想象一下使用AWS服务的数百万客户。另外,想象一下这些客户已经创建了数百万个资源,比如Amazon EC2实例。如果所有这些资源没
NAT功能与分类
yazhouren的专栏
05-17 1870
NAT的分类,比较早的有STUN(RFC3489)定义的四种类型: Full Cone: A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Fur
又一个Linux的双向stateless NAT
互联网
05-30 333
如果看一下iproute2的help,就会发现在route section中有一个nat action,其中via的参数给出了转换的地址。具体的配置就不说了,只提出两点,第一,iproute2的stateless nat需要policy routing的参与,第二,它在2.6内核中被去除了;具体信息可以参见文档。在2.6内核中,内核协议栈将一切的扩展都留给了Netfilter来实现,自己只实现标准...
防火墙类型总结
热门推荐
网络知识精读
10-04 1万+
PS:本文虽然标注是原创,不过基本都是对书本内容的整理摘录,所以不能完全算是原创,仅仅是笔者作为一个知识笔记。 这里是总结了《CCNP Security FIREWALL 642-618 Official Cert Guide》该书中的列举,在此除了参考该书,也参考了《Network Secuity Principles andPractices》,以及《CCNA SecurityO
com.googlecode.stateless4j-osgi-1.0.jar
03-03
jar包,官方版本,自测可用
Be.Stateless.Stream:用于通用.NET开发的流类库
02-09
无状态流 用于通用.NET开发的流类库。 NuGet软件包
com.googlecode.stateless4j-osgi-1.0.1.jar
03-03
jar包,官方版本,自测可用
Be.Stateless.BizTalk.Pipeline.MicroComponents:BizTalk.Factory的微型管道的微型组件,用于通用BizTalk Server开发
03-20
Be.Stateless.BizTalk.Pipeline.MicroComponents BizTalk.Factory的微型管道的微型组件,用于通用BizTalk Server开发。 NuGet软件包 部署方式 该组件是BizTalk.Factory运行时的一部分,没有BizTalkMgmtDb占用空间...
四川大学计算机网络课件,[工学]四川大学计算机网络课件.ppt
weixin_33677704的博客
06-23 103
[工学]四川大学计算机网络课件* * * * * * * * * * * * Policy Firewall Setting No outside Web access. Drop all outgoing packets to any IP address, port 80 No incoming TCP connections, except those for institution’s ...
Linux Stateless无状态NAT-使用TC来配置
系统运维
02-13 362
如果想在Linux上配置NAT,那么大家众所一言的就是使用iptables的NAT表来配置,iptables提供了灵活丰富的配置来配置SNAT和DNAT,然而我们知道iptables的NAT依赖了ip_conntrack,也就是说,凡是一个命中了NAT表规则的流就会有一条连接追踪生成,由于ip_conntrack追踪了所有的数据包,因此当有大量连接经过了本地设备时,ip_conntrack空间将被...
在Linux上实现一个可用的stateless双向静态NAT模块
Netfilter
12-20 8777
关于Linux上如何配置NAT的资料已经不少,可谓铺天盖地!本文与此无关。本文提供一种iptables之外的方式。iptables?不!why?因为iptables配置的NATstateful的,它的实现依赖一个叫做conntrack的模块,什么是conntrack?Oh,NO!这可是我的专长,但我不想在本文中说它,认识我的人都知道,我扯这个话题我能扯上12个小时...都还扯不完。也许你不知道什
NATFILTER所在的链 帮助记忆
记录成长学习点滴
10-08 707
NAT:prerouting/output/postrouting   FILTERinput/forward/output DNAT:prerouting SNAT:postrouting  SNAToutput
(4)配置防火墙filternat转发(转载)
hustsselbj的专栏
05-20 3754
如果用树莓派当作路由器转发有线和无线网络,则需要对iptables进行相关配置。配置NAT转发的话,MASQUERADE一条规则是关键。 iptables共3个tables(filter nat mangle,现在貌似是4个表)5条chains(PREROUTING INPUT FORWARDING OUTPUT POSTROUTING)4个连接跟踪数据包状态(NEW INVALID EST
CAN201 网络编程 笔记
sanmusen_wu的博客
09-07 4468
can201复习
netfilter&firewalld防火墙学习路线
林隐的专栏
11-29 1120
netfilter&firewalld iptables 学习路线netfilterfirewallediptablesiptables详解iptables命令格式 iptables过滤条件 包过滤防火墙工作原理技术原理Netfilter是Linux 2.4.x引入的一个子系统,它作为一个通用的、抽象的框架,提供一整套的hook函数的管理机制,使得诸如数据包过滤、网络地址转换(NAT)和基于协议
Nat类型检测
skylark的总结
11-02 4862
Determining NAT Mapping Behavior This will require at most three tests. In test I, the client performs the UDP connectivity test. The server will return its alternate address and port in
NAT Addressing and Port Mapping and Filter Behavior
wutong_login的专栏
04-30 1732
NAT Addressing and Port Mapping and Filter Behavior (2013-07-13 15:46:13) 转载▼ 标签: 杂谈 分类: 笔记 1.NAT Addressing and Port Mapping 1.    Endpoint-Independent Mapping
return tf.random.stateless_uniform( tensorflow.python.framework.errors_impl.ResourceExhaustedError: {{function_node __wrapped__AddV2_device_/job:localhost/replica:0/task:0/device:GPU:0}} failed to allocate memory [Op:AddV2]
最新发布
06-10
这个错误是 TensorFlow 运行时发出的,表示在执行 `tf.random.stateless_uniform` 操作时出现了内存不足的情况。具体来说,是因为显存不足导致 TensorFlow 无法分配内存,从而报告了这个错误。可能是因为模型太大...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值