1. IT分享知识网首页
  2. 未分类

nftables源地址转换(SNAT)

老牧童 未分类 阅读 4

nftables源地址转换(SNAT)源地址转换 SNAT SNAT Source Network Address Translation 源网络地址转换 是一种网络地址转换技术 用于修改数据包的源 IP 地址简单使用 SNAT 目标 通过 SNAT 实现一台机子通过多个 ip 访问百度

大家好,欢迎来到IT知识分享网。

源地址转换(SNAT)

SNAT(Source Network Address Translation,源网络地址转换)是一种网络地址转换技术,用于修改数据包的源 IP 地址

简单使用SNAT

目标:通过SNAT实现一台机子通过多个ip访问百度。

我这个里使用的使用Ubuntu 24.10

查看当前网关,可以看到172.30.128.1和路由范围172.30.128.0/20

root@root:~# ip route show default via 172.30.128.1 dev eth0 proto dhcp src 172.30.136.11 metric 100 172.30.128.0/20 dev eth0 proto kernel scope link src 172.30.136.11 metric 100 172.30.128.1 dev eth0 proto dhcp scope link src 172.30.136.11 metric 100

根据路由的范围,给Ubuntu添加2个IP,修改/etc/netplan/50-cloud-init.yaml文件如下:

network: version: 2 ethernets: eth0: dhcp4: true addresses: - 172.30.132.100/24 - 172.30.134.100/24

配置生效命令,注意可能会导致原本IP变,会导致SSH连不上。

netplan apply

可以看到eth0多了2个IP

root@root:~# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:15:5d:01:03:02 brd ff:ff:ff:ff:ff:ff inet 172.30.132.100/24 brd 172.30.132.255 scope global eth0 valid_lft forever preferred_lft forever inet 172.30.134.100/24 brd 172.30.134.255 scope global eth0 valid_lft forever preferred_lft forever inet 172.30.128.6/20 metric 100 brd 172.30.143.255 scope global dynamic eth0 valid_lft 86146sec preferred_lft 86146sec inet6 fe80::215:5dff:fe01:302/64 scope link proto kernel_ll valid_lft forever preferred_lft forever

通过解析百度域名,nslookup命令如下:

root@root:~# nslookup www.baidu.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: www.baidu.com Address: 183.2.172.185 Name: www.baidu.com Address: 183.2.172.42 www.baidu.com canonical name = www.a.shifen.com. Name: www.a.shifen.com Address: 240e:ff:e020:9ae:0:ff:b014:8e8b Name: www.a.shifen.com Address: 240e:ff:e020:966:0:ff:b042:f296 root@root:~#

根据上面解析的IP,可以使用183.2.172.0/24来匹配百度,并且修改源地址。

table inet filter { chain POSTROUTING { # 默认允许通过 type nat hook postrouting priority 100; policy accept; # 匹配目标地址,修改源地址 ip daddr 183.2.172.0/24 snat ip to 172.30.134.100 } }

通过tcpdump抓包,可以看到源被修改成了172.30.134.100

root@root:~# tcpdump -i any host www.baidu.com -n tcpdump: WARNING: any: That device doesn't support promiscuous mode (Promiscuous mode not supported on the "any" device) tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length  bytes 14:20:39.021516 eth0 Out IP 172.30.134.100.44624 > 183.2.172.42.80: Flags [S], seq , win 64240, options [mss 1460,sackOK,TS val  ecr 0,nop,wscale 6], length 0 14:20:39.035404 eth0 In IP 183.2.172.42.80 > 172.30.134.100.44624: Flags [S.], seq , ack , win 8192, options [mss 1452,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0 14:20:39.035470 eth0 Out IP 172.30.134.100.44624 > 183.2.172.42.80: Flags [.], ack 1, win 1004, length 0 14:20:39.035545 eth0 Out IP 172.30.134.100.44624 > 183.2.172.42.80: Flags [P.], seq 1:77, ack 1, win 1004, length 76: HTTP: GET / HTTP/1.1 14:20:39.046885 eth0 In IP 183.2.172.42.80 > 172.30.134.100.44624: Flags [.], ack 77, win 2452, length 0 14:20:39.047740 eth0 In IP 183.2.172.42.80 > 172.30.134.100.44624: Flags [P.], seq 1:2782, ack 77, win 2452, length 2781: HTTP: HTTP/1.1 200 OK 14:20:39.047784 eth0 Out IP 172.30.134.100.44624 > 183.2.172.42.80: Flags [.], ack 2782, win 1089, length 0 14:20:39.047977 eth0 Out IP 172.30.134.100.44624 > 183.2.172.42.80: Flags [F.], seq 77, ack 2782, win 1089, length 0 14:20:39.052124 eth0 In IP 183.2.172.42.80 > 172.30.134.100.44624: Flags [P.], seq 1453:2782, ack 77, win 2452, length 1329: HTTP 14:20:39.052183 eth0 Out IP 172.30.134.100.44624 > 183.2.172.42.80: Flags [.], ack 2782, win 1089, options [nop,nop,sack 1 {1453:2782}], length 0

优化一下上面的,通过负载方式修改源IP。

table inet filter { chain POSTROUTING { # 默认允许通过 type nat hook postrouting priority 100; policy accept; # 按顺序生成 0,1 映射 源地址 ip daddr 183.2.172.0/24 snat to numgen inc mod 2 map { 0 : 172.30.132.100, 1 : 172.30.134.100 } } }

随机生成 0,1 映射源地址。

table inet filter { chain POSTROUTING { # 默认允许通过 type nat hook postrouting priority 100; policy accept; # 随机生成 0,1 映射 源地址 ip daddr 183.2.172.0/24 snat to numgen random mod 2 map { 0 : 172.30.132.100, 1 : 172.30.134.100 } } }

通过负载的方式可以实现百万并发的访问。

免责声明:本站所有文章内容,图片,视频等均是来源于用户投稿和互联网及文摘转载整编而成,不代表本站观点,不承担相关法律责任。其著作权各归其原作者或其出版社所有。如发现本站有涉嫌抄袭侵权/违法违规的内容,侵犯到您的权益,请在线联系站长,一经查实,本站将立刻删除。 本文来自网络,若有侵权,请联系删除,如若转载,请注明出处:https://yundeesoft.com/164547.html

(0)
老牧童老牧童
0
上一篇 2024-12-26 19:45
下一篇 2024-12-26 20:00

相关推荐

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

关注微信