/3/15 1, linux. linux,,. : 1.NAT ; 2. (load balance, virtual server);; 3. ; 4. ; 5. 6.VPN; 7. ; 8. ; 9.. (,

Yawl(yawl@docshownet) wwwdocshownet 2000/3/15 1, linux linux,, 1NAT ; 2 (load balance,virtual server);; 3 ; 4 ; 5 6VPN; 7 ; 8 ; 9 (,, )IP, (VPN,, ) IP, (call_in_firewall(),call_fw_firewall(),call_out_firewall(), 2 linux ( 22 linux, ) Linux skbuff(include/skbuffh),, skbuff, skbuff skbuff Skbuff, ; ( ), ( TCP/IP )

IP ip_rcv()ip_forward()ip_output(), IP 3 31 NAT, (NAT) ( )IP ( )IP, IP (RFC 1918), internet, IP NAT, IP,NAT NAT (static address translation) NAT(dynamic address translation) NAT ----------- IP IP, IP IP, linux,224, ipnatadm, 2213 ( ), /ipv4/ip_nat_dumbc, ip_do_nat() ip_forward(),ip_output() ( ) ( CONFIG_IP_ROUTE_NAT CONFIG_IP_MULYIPLE_TABLE) NAT -------------- IP IP, linux IP ( ), IP, TCP/UDP

多台主机共用一个地址此时防火墙必须维持一个动态的映射表,且随时要对此表进行更新 原理如下图所示 伪装功能相关文件有(均在 /ipv4 目录) ip_masqc ip_masq_appc ip_masq_cuseemec ip_masq_ftpc ip_masq_mfwc ip_masq_modc ip_masq_quakec ip_masq_raudioc ip_masq_vdolivec 头文件有 ip_masq_autofwc ip_masq_ircc ip_masq_portfwc ip_masq_userc #include <net/ip_masqh> #include <linux/ip_masqh> #ifdef CONFIG_IP_MASQUERADE_MOD #include <net/ip_masq_modh> #endif 其中最主要的文件是 ip_masqc,它定义了对应用层的接口和实际的地址伪装处理过程其余 文件大多是根据专门应用的扩展 流程为(没有结合包过滤)

当 IP 层接受到信息(ip_rcv)以后,在确定信息准确无误后,查路由,伪装的包和去往防火墙本身 的包的目的地址均是防火墙的对外地址,IP 层将用 ip_local_deliver()进行处理,其中便调用了 ip_fw_demasquerade() 解伪装会将真正的目的地址和端口恢复出来 经过再次查路由 如 果是发往本地的包,则交给相应的上层去处理(tcp_ipv4_rcv, udp_rcv, raw_rcv 等),否则调用 ip_forward() ip_fw_masquerade()则在 ip_forward()中被调用 具体算法 公开地址与内部地址的映射表采用的数据结构是ｉｐ ｍａｓｑ 在 ｉｎｃｌｕｄｅ ｎｅｔ ｉｐ ｍａｓｑ ｈ中定 义 其格式为 ｓｔｒｕｃｔ ｉｐ ｍａｓｑ ｓｔｒｕｃｔ ｌｉｓｔ ｈｅａｄ ｍ ｌｉｓｔ ｓ ｌｉｓｔ ｄ ｌｉｓｔ ｈａｓｈｅｄ ｄ ｌｉｎｋｅｄ ｌｉｓｔ ｈｅａｄｓ ａｔｏｍｉｃ ｔ ｒｅｆｃｎｔ ｒｅｆｅｒｅｎｃｅ ｃｏｕｎｔ ｓｔｒｕｃｔ ｔｉｍｅｒ ｌｉｓｔ ｔｉｍｅｒ Ｅｘｐｉｒａｔｉｏｎ ｔｉｍｅｒ 以下几个是最重要的参数 分别为所用的协议 ｐｒｏｔｏｃｏｌ 源 目的地址 ｓａｄｄｒ ｄａｄｄｒ 源 目的端口 ｓｐｏｒｔ ｄｐｏｒｔ 经伪装后的地址 端口 ｍａｄｄｒ ｍｐｏｒｔ ｕ１６ ｐｒｏｔｏｃｏｌ Ｗｈｉｃｈ ｐｒｏｔｏｃｏｌ ａｒｅ ｗｅ ｔａｌｋｉｎｇ ｕ１６ ｓｐｏｒｔ ｄｐｏｒｔ ｍｐｏｒｔ ｓｒｃ ｄｓｔ ｍａｓｑ ｐｏｒｔｓ ｕ３２ ｓａｄｄｒ ｄａｄｄｒ ｍａｄｄｒ ｓｒｃ ｄｓｔ ｍａｓｑ ａｄｄｒｅｓｓｅｓ ｓｔｒｕｃｔ ｉｐ ｍａｓｑ ｓｅｑ ｏｕｔ ｓｅｑ ｉｎ ｓｅｑ ｓｔｒｕｃｔ ｉｐ ｍａｓｑ ａｐｐ ａｐｐ ｂｏｕｎｄ ｉｐ ｍａｓｑ ａｐｐ ｏｂｊｅｃｔ ｖｏｉｄ ａｐｐ ｄａｔａ Ａｐｐｌｉｃａｔｉｏｎ ｐｒｉｖａｔｅ ｄａｔａ ｓｔｒｕｃｔ ｉｐ ｍａｓｑ ｃｏｎｔｒｏｌ Ｍａｓｔｅｒ ｃｏｎｔｒｏｌ ｃｏｎｎｅｃｔｉｏｎ ａｔｏｍｉｃ ｔ ｎ ｃｏｎｔｒｏｌ Ｎｕｍｂｅｒ ｏｆ ｃｏｎｔｒｏｌｌｅｄ ｍａｓｑｓ ｕｎｓｉｇｎｅｄ ｆｌａｇｓ ｓｔａｔｕｓ ｆｌａｇｓ ｕｎｓｉｇｎｅｄ ｔｉｍｅｏｕｔ ｔｉｍｅｏｕｔ ｕｎｓｉｇｎｅｄ ｓｔａｔｅ ｓｔａｔｅ ｉｎｆｏ

, setsocket int setsocket (int socket, IPPRPTO_IP, int command, void *data, int length) (MASQ) MASQ, ( ) (, ),,

linux 32 (load balance, virtual server) (, IP ) NAT, NAT IP, IP ( ) ( ) IP,,, (NAT),, *Random, *Round Robin *, server *, ping,,,checkpoint, linux, Linux Virtual Server Project( proxyiinchinanet/~wensong/ippfvs/) ip_vsc ip_vs_rrc ip_vs_wrrc ip_vs_wlsc ip_vsc, Round Robin, Weighted Round Robin, Weighted Least Connection ( ) 33

IP,,,SYN, Linux (input chain, forward chain, output chain),, ( ), chain * *, (ACCEPT, REJECT, DENY, MASQ,REDICT, RETURN) * a ; b packet byte,, (ipchains L v ) c, *, ipfwc, ipfwh(ip ),firewallc, firewallh( ) ip_rcv()ip, a ; b (4? 6?); c if (skb->len < sizeof(struct iphdr)) goto inhdr_error; if (iph->ihl < 5 iph->version!= 4 ip_fast_csum((u8 *)iph, iph->ihl)!= 0) goto inhdr_error;, fwres = call_in_firewall(pf_inet, dev, iph, &rport, &skb); fwres,

f (fwres < FW_ACCEPT && fwres!= FW_REJECT) goto drop; ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev) IP (iph->ihl > 5), () skbuff dst, skb->dst->input(skb), ip_local_deliver(),, ip_forward(),, IP IP,, ip_local_deliver(),ip_local_deliver(),,,, ip_forward() ip_forward() call_fw_firewall() (ip_output, ip_queue_xmit), call_out_firewall() ip_fwc ip_fw_init() call_in_firewall, call_fw_firewall, call_out_firewall, ip_fw_check(), ip_fw_check() ip_chain (ip_fwc), ip_fwkernel (ip_fwc), ip_fw (ip_fwh) struct ip_fw { }; struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ struct in_addr fw_smsk, fw_dmsk; / * Mask for src and dest IP addr */ u32 fw_mark; /* ID to stamp on packet */ u16 fw_proto; /* Protocol, 0 = ANY */ u16 fw_flg; /* Flags word */ u16 fw_invflg; /* Inverse flags */ u16 fw_spts[2]; /* Source port range */ u16 fw_dpts[2]; /* Destination port range */ u16 fw_redirpt; /* Port to redirect to */ u16 fw_outputsize; /* Max amount to output to NETLINK */ char fw_vianame[ifnamsiz]; /* name of interface "via" */ u8 fw_tosand, fw_tosxor; /* Revised packet priority */

( flag ) ip_fw_check() ( ip_fw ), setsockopt man man ipfw 34 linux, printk(), printf() printk <0><2> <7>, <0>,, klogd syslog(), proc (cat /proc/kmsg) printk ( ) syslogd klogd, /etc/syslogconf,/var/log/messages ipchains (-l ), ip_fwc static void dump_packet( ), printk() klogd, cat /proc/kmsg,, <6> Packet log input DENY etho PROTO=17 1921682153 19218168111025 L=34 S=0x00 I=18 F=0x0000 T=254 <6> (KERN_INFO) /var/log/messages, syslogd, dump_packet( ) 35 linux (ipchains L v ) IP IP (, ),,, ( ), 36 VPN VPN linux

FreeS/WAN project, IPSEC & IKE, VPN 13 wwwfreeswanorg freeswan, (ifconfig), ipsec0,, ipsecn ppp0 ssh ssh telnet X11, VPN VPN mini HOWTO, PPTP linux pptp server client pptp