|
|
186.
|
|
|
The kernel's packet filtering system would be of little use to administrators without a userspace interface to manage it. This is the purpose of iptables. When a packet reaches your server, it will be handed off to the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it from userspace via iptables. Thus, iptables is all you need to manage your firewall if you're familiar with it, but many frontends are available to simplify the task.
|
|
|
|
|
内核的包过滤系统如果没有一个用户态 (userspace) 界面来管理它的话对管理员来说几乎没有用。这正是 iptables 的目的。当一个包到达您的服务器,它从用户态 (userspace) 通过 iptables 传给 Netfilter 子系统,然后基于提供的规则去接受、操作或拒绝。因此,如果你能熟悉它的话,那么 iptables 就是您管理您防火墙所需的全部。
|
|
Translated and reviewed by
姚渺波
|
|
|
|
Located in
serverguide/C/security.xml:360(para)
|
|
|
187.
|
|
|
IP Masquerading
|
|
|
|
|
IP 伪装
|
|
Translated and reviewed by
姚渺波
|
|
|
|
Located in
serverguide/C/security.xml:596(title)
|
|
|
188.
|
|
|
The purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading. Traffic from your private network destined for the Internet must be manipulated for replies to be routable back to the machine that made the request. To do this, the kernel must modify the <emphasis>source</emphasis> IP address of each packet so that replies will be routed back to it, rather than to the private IP address that made the request, which is impossible over the Internet. Linux uses <emphasis>Connection Tracking</emphasis> (conntrack) to keep track of which connections belong to which machines and reroute each return packet accordingly. Traffic leaving your private network is thus "masqueraded" as having originated from your Ubuntu gateway machine. This process is referred to in Microsoft documentation as Internet Connection Sharing.
|
|
|
|
|
IP 伪装的目的是为了允许您网络上那些有着私有的、不可路由的 IP 地址的机器可以通过做伪装的机器访问 Internet。来自您私有网络并要访问 Internet 的传输必须是可以操作的,也就是说回复要可以被路由回来以送到发出请求的机器上。要做到这一点,内核必须修改每个包 <emphasis>源</emphasis> IP 地址以便回复能被路由回它这里,而不是发出请求的私有 IP 地址,因为它们对于 Internet 来说是不存在的。Linux 使用 <emphasis>Connection Tracking</emphasis> (conntrack) 来保持那个连接是属于哪个机器的,并相应地对每个返回包重新做路由。发自您私有网络的流量就这样被伪装成源于您的网关机器。这一过程在 Microsoft 文档中被称为 Internet 连接共享。
|
|
Translated and reviewed by
姚渺波
|
|
|
|
Located in
serverguide/C/security.xml:597(para)
|
|
|
189.
|
|
|
-t nat -- the rule is to go into the nat table
|
|
|
|
|
-t nat -- 该规则将进入 nat 表
|
|
Translated and reviewed by
姚渺波
|
|
|
|
Located in
serverguide/C/security.xml:744(para)
|
|
|
190.
|
|
|
-A POSTROUTING -- the rule is to be appended (-A) to the POSTROUTING chain
|
|
|
|
|
-A POSTROUTING -- 该规则将被追加 (-A) 到 POSTROUTING 链
|
|
Translated and reviewed by
姚渺波
|
|
|
|
Located in
serverguide/C/security.xml:745(para)
|
|
|
191.
|
|
|
-s 192.168.0.0/16 -- the rule applies to traffic originating from the specified address space
|
|
|
|
|
-s 192.168.0.0/16 -- 该规则将被应用在源自指定地址空间的流量上
|
|
Translated and reviewed by
姚渺波
|
|
|
|
Located in
serverguide/C/security.xml:746(para)
|
|
|
192.
|
|
|
-o ppp0 -- the rule applies to traffic scheduled to be routed through the specified network device
|
|
|
|
|
-o ppp0 -- 该规则应用于计划通过指定网络设备的流量。
|
|
Translated and reviewed by
姚渺波
|
|
|
|
Located in
serverguide/C/security.xml:747(para)
|
|
|
193.
|
|
|
-j MASQUERADE -- traffic matching this rule is to "jump" (-j) to the MASQUERADE target to be manipulated as described above
|
|
|
|
|
-j MASQUERADE -- 匹配该规则的流量将如上所述 "跳转" (-j) 到 MASQUERADE (伪装) 目标。
|
|
Translated and reviewed by
姚渺波
|
|
|
|
Located in
serverguide/C/security.xml:749(para)
|
|
|
194.
|
|
|
This can be accomplished with a single iptables rule, which may differ slightly based on your network configuration: <screen>sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE</screen> The above command assumes that your private address space is 192.168.0.0/16 and that your Internet-facing device is ppp0. The syntax is broken down as follows: <placeholder-1/>
|
|
|
|
|
这可以用单条 iptables 规则来完成,也许基于您网络配置来说会有一些小的差异:<screen>sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE</screen> 上述命令假设您的私有地址空间是192.168.0.0/16,您与 Internet 相连的设备是 ppp0。语法分解如下所示:<placeholder-1/>
|
|
Translated and reviewed by
姚渺波
|
|
|
|
Located in
C/network-applications.xml:408(para)
|
|
|
195.
|
|
|
Each chain in the filter table (the default table, and where most or all packet filtering occurs) has a default <emphasis>policy</emphasis> of ACCEPT, but if you are creating a firewall in addition to a gateway device, you may have set the policies to DROP or REJECT, in which case your masqueraded traffic needs to be allowed through the FORWARD chain for the above rule to work: <screen>sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT 
sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT</screen> The above commands will allow all connections from your local network to the Internet and all traffic related to those connections to return to the machine that initiated them. |
|
|
represents a line break.
Start a new line in the equivalent position in the translation.
|
|
|
|
|
在过滤表 (缺省表,在那里有着大多数或全部包过滤指令) 中的每条链 (chain) 都有一个默认的 ACCEPT <emphasis>策略</emphasis>,但如果您还在网关设备上设置防火墙,那么您也许还要设置 DROP 或 REJECT 策略,这时您被伪装过的流量还需要被 FORWARD 链 (chain) 中的规则允许才能正常工作:<screen>sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT
sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT</screen> 上述命令将允许通过从您局域网到 Internet 的所有连接,这些连接所有的相关流量也都返回到发起它们的机器。 |
|
Translated and reviewed by
姚渺波
|
|
|
|
Located in
C/network-applications.xml:426(para)
|
