[[PageOutline]] = iptablesによるIP MASQUERADE = * [http://www.atmarkit.co.jp/flinux/rensai/iptables02/iptables02c.html @IT:natテーブルを利用したLinuxルータの作成(3/6)] * " [../#networkmap] のネットワークを使用 * 到達テスト用IP => 202.12.27.33 (M.ROOT-SERVERS.NET.) = without MASQUERADE = == case 1 == * router -> centos-outer -(NAPT)-> WAN * ubuntu-router:~$ ping 202.12.27.33 -c 1 {{{ PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data. --- 202.12.27.33 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms }}} 1. ubuntu-router:eth0 {{{ 21:36:03.484785 IP 10.0.0.254 > 202.12.27.33: ICMP echo request, id 60949, seq 1, length 64 }}} 1. centos-outer:eth1 {{{ 21:36:03.419741 IP 10.0.0.254 > 202.12.27.33: ICMP echo request, id 60949, seq 1, length 64 }}} 1. centos-outer:eth0 {{{ 21:36:03.420277 IP 10.0.0.254 > 202.12.27.33: ICMP echo request, id 60949, seq 1, length 64 }}} == case 2 == * ubuntu-outer -> router(redirect) -> centos-outer -(NAPT)-> WAN * ubuntu-outer:~$ ping 202.12.27.33 -c 1 {{{ PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data. From 10.0.0.254: icmp_seq=1 Redirect Host(New nexthop: 10.0.0.20) --- 202.12.27.33 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms }}} 1. ubuntu-outer:eth1 {{{ 21:28:12.959737 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 53525, seq 1, length 64 21:28:12.965215 IP 10.0.0.254 > 10.0.0.10: ICMP redirect 202.12.27.33 to host 10.0.0.20, length 92 }}} 1. ubuntu-router:eth0 {{{ 21:28:12.962459 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 53525, seq 1, length 64 21:28:12.965204 IP 10.0.0.254 > 10.0.0.10: ICMP redirect 202.12.27.33 to host 10.0.0.20, length 92 21:28:12.974739 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 53525, seq 1, length 64 }}} 1. centos-outer:eth1 {{{ 21:28:12.915534 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 53525, seq 1, length 64 }}} 1. centos-outer:eth0 {{{ 21:28:12.915855 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 53525, seq 1, length 64 }}} == case 3 == * ubuntu-inner-AB -> router -> centos-outer -(NAPT)-> WAN * ubuntu-inner-AB:~$ ping 202.12.27.33 -c 1 {{{ PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data. --- 202.12.27.33 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms }}} 1. ubuntu-inner-AB:eth1 {{{ 20:50:23.110897 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 4372, seq 1, length 64 }}} 1. ubuntu-router:eth2 {{{ 20:50:23.125749 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 4372, seq 1, length 64 }}} 1. ubuntu-router:eth0 {{{ 20:50:23.134574 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 4372, seq 1, length 64 }}} 1. centos-outer:eth1 {{{ 20:50:23.090600 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 4372, seq 1, length 64 }}} 1. centos-outer:eth0 {{{ 20:50:23.092625 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 4372, seq 1, length 64 }}} = IP MASQUERADE = * 上記のcase1, 2は、centos-outerにIP MASQUERADEの設定をすれば解決する * centos-outer ~]$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE * centos-outer ~]$ sudo iptables -t nat -L -v {{{ Chain PREROUTING (policy ACCEPT 21 packets, 3810 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 4 packets, 336 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- any eth0 anywhere anywhere Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination }}} == case 1 == * ubuntu-router:~$ ping 202.12.27.33 -c 1 {{{ PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data. 64 bytes from 202.12.27.33: icmp_seq=1 ttl=239 time=16.3 ms --- 202.12.27.33 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 16.394/16.394/16.394/0.000 ms }}} 1. ubuntu-router:eth0 {{{ 21:52:23.674784 IP 10.0.0.254 > 202.12.27.33: ICMP echo request, id 29462, seq 1, length 64 21:52:23.686245 IP 202.12.27.33 > 10.0.0.254: ICMP echo reply, id 29462, seq 1, length 64 }}} 1. centos-outer:eth1 {{{ 21:52:23.585426 IP 10.0.0.254 > 202.12.27.33: ICMP echo request, id 29462, seq 1, length 64 21:52:23.600322 IP 202.12.27.33 > 10.0.0.254: ICMP echo reply, id 29462, seq 1, length 64 }}} 1. centos-outer:eth0 {{{ 21:52:23.586646 IP 192.168.40.20 > 202.12.27.33: ICMP echo request, id 29462, seq 1, length 64 21:52:23.600260 IP 202.12.27.33 > 192.168.40.20: ICMP echo reply, id 29462, seq 1, length 64 }}} == case 2 == * ubuntu-outer:~$ ping 202.12.27.33 -c 1 {{{ PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data. From 10.0.0.254: icmp_seq=1 Redirect Host(New nexthop: 10.0.0.20) 64 bytes from 202.12.27.33: icmp_seq=1 ttl=239 time=18.2 ms --- 202.12.27.33 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 18.232/18.232/18.232/0.000 ms }}} 1. ubuntu-outer:eth1 {{{ 21:54:52.110334 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 42518, seq 1, length 64 21:54:52.112754 IP 10.0.0.254 > 10.0.0.10: ICMP redirect 202.12.27.33 to host 10.0.0.20, length 92 21:54:52.128234 IP 202.12.27.33 > 10.0.0.10: ICMP echo reply, id 42518, seq 1, length 64 }}} 1. ubuntu-router:eth0 {{{ 21:54:52.110893 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 42518, seq 1, length 64 21:54:52.112704 IP 10.0.0.254 > 10.0.0.10: ICMP redirect 202.12.27.33 to host 10.0.0.20, length 92 21:54:52.113196 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 42518, seq 1, length 64 }}} 1. centos-outer:eth1 {{{ 21:54:52.033678 IP 10.0.0.10 > 202.12.27.33: ICMP echo request, id 42518, seq 1, length 64 21:54:52.048781 IP 202.12.27.33 > 10.0.0.10: ICMP echo reply, id 42518, seq 1, length 64 }}} 1. centos-outer:eth0 {{{ 21:54:52.035689 IP 192.168.40.20 > 202.12.27.33: ICMP echo request, id 42518, seq 1, length 64 21:54:52.048112 IP 202.12.27.33 > 192.168.40.20: ICMP echo reply, id 42518, seq 1, length 64 }}} == case 3 == #needroute * ubuntu-inner-AB -> router -> centos-outer -(NAPT)-> WAN * この場合、WAN -(NAPT)-> centos-outer で帰ってきたパケットを10.2.0.30(ubuntu-inner-AB)に送り返そうとするが、centos-outerのデフォルトゲートウェイがあるネットワークはeth0の向きなので、ubuntu-inner-ABがあるeth1ではなくeth0にパケットが送出されてしまう。 * MASQUERADEに併せて、centos-outerにstatic routeの設定が必要 => [../route#staticrouteIPMASQUERADE] * ubuntu-inner-AB:~$ ping 202.12.27.33 -c 1 {{{ PING 202.12.27.33 (202.12.27.33) 56(84) bytes of data. --- 202.12.27.33 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms }}} 1. ubuntu-inner-AB:eth1 {{{ 20:56:09.881451 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 15892, seq 1, length 64 }}} 1. ubuntu-router:eth2 {{{ 20:56:09.895738 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 15892, seq 1, length 64 }}} 1. ubuntu-router:eth0 {{{ 20:56:09.896113 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 15892, seq 1, length 64 }}} 1. centos-outer:eth1 {{{ 20:56:09.861559 IP 10.2.0.30 > 202.12.27.33: ICMP echo request, id 15892, seq 1, length 64 }}} 1. centos-outer:eth0 {{{ 20:56:09.863646 IP 192.168.40.20 > 202.12.27.33: ICMP echo request, id 15892, seq 1, length 64 20:56:09.876772 IP 202.12.27.33 > 192.168.40.20: ICMP echo reply, id 15892, seq 1, length 64 20:56:09.878089 IP 202.12.27.33 > 10.2.0.30: ICMP echo reply, id 15892, seq 1, length 64 }}}