Home > OS >  I don't want disorderly guess, bosses set-up!!!!! Understanding of iptabls five chain
I don't want disorderly guess, bosses set-up!!!!! Understanding of iptabls five chain

Time:09-16

There is a demand, is in through a local agent (1.1.1.1) to access it at the back of the service (2.2.2.2), need to configure the local application directly access address for service, but the local network to the service is unable to communicate directly, so the thought of using iptables rules, to send packets do dnat processing, namely direct access to the local application 2.2.2.2, then will be asked to address the purpose of through dnat replace 1.1.1.1, said the first successful practices, and to explore the myth of operation and some thinking behind, (all of the following actions in the local application nodes)

Baidu search "iptables will host the destination address get rid of" this a few word to find the answer:
Iptables -t NAT - A OUTPUT - d 2.2.2.2 - j DNAT - to 1.1.1.1 (dissolved, is so simple)


Here said the mistake:
Iptables -t NAT - A PREROUTING - d 2.2.2.2 - j DNAT - to 1.1.1.1
Iptables -t NAT - A POSTROUTING -s 1.1.1.1 -j SNAT - to 2.2.2.2
On this is wrong, idea is right, wrong operation, said why do first, the first rule is to want to send to send the packet's destination address 2.2.2.2 1.1.1.1, so the request can be agent through 1.1.1.1 2.2.2.2 to the back of the service, and then the second rule, is to want to will return to the 2.2.2.2 snat response packet source address, to 2.2.2.2, the aim is to ensure that the client request and the consistency of the response to the address in order to ensure the integrity of the TCP session, if the address of the request and response can't enough not to become a full session,
Now idea is no problem, but did not achieve the desired effect, in the local ping 2.2.2.2, at the same time, the other open a shell for tcpdump cut package, the packets can not come,
To modify the request packet destination address, compared to the correct operation, we can see that rules the wrong chain, should be added to the OUTPUT chain, rather than the PREROUTING chain, so I found this picture below (from Jane books - head of the technical documentation, https://www.jianshu.com/p/e6360c2ac19d),
To review the position of the following various chain effect
The prerouting: into the packet before entering the routing table,
Input: by judging the routing table after the destination address is the machine, and then enter the machine internal resources,
Output: data produced by the machine forward outward
Forward: through the routing table to determine the destination address is the machine, and then by routing forwarding to other places,
Nic before export postrouting: outgoing packets arrive,


Combined with the interpretation of the bosses and I encounter setbacks, I understand, or I guess postroutging chain the received data and only deals with the network card, can only add SNAT rule, can not add DNAT rules, the prerouting chain is the opposite of time, only deals with application of packets, I tried to do,

User space request packets to the direction of the packet is go like this: the user space - & gt; The output -- -- -- -- -- & gt; (after routing) -- -- -- -- -- - & gt; The postrouting
Server should be the packet is the direction of walking so: the prerouting -- -- -- -- -- & gt; (after routing) -- -- -- -- -- & gt; Input -- -- -- -- -- & gt; The user space


I want to do is the direction of DNAT, saying the postrouting can not add DNAT rules, so only in the output chain chain add DNAT rules, guess and started baidu results coincide, this was basically, meet the requirements of the request packet DNAT,
Look I also missed a redundant demand, is the SNAT response packet, says it is redundant because really unnecessary, this is not to need to do, don't need to keep the consistency of the request and response address to ensure that the integrity of the TCP session?? About this problem I thought for a long time, look at the pictures and data in the output chain after dealing with the DNAT, was sent to a routing process, then to the postrouting send out from the card, where routing work, IP layer well, the place I want to, where the output chain work layer, TCP layer and IP layer, TCP packets without IP, at least not in the TCP layer, it is considered in the IP layer, since the IP packet is encapsulated in the output chain in the IP layer, then this place I can think to establish session with the server address is the address, after DNAT 1.1.1.1,
In fact I did DNAT by ping, accessed through the curl command to end service, all can normal visit, in that case, I can only guess, so have a guess wrong place please bosses with me



  • Related