Translation

(itstool) path: sect3/para
The drawback with <acronym>NAT</acronym> in general is that the <acronym>LAN</acronym> clients are not accessible from the Internet. Clients on the <acronym>LAN</acronym> can make outgoing connections to the world but cannot receive incoming ones. This presents a problem if trying to run Internet services on one of the <acronym>LAN</acronym> client machines. A simple way around this is to redirect selected Internet ports on the <acronym>NAT</acronym> providing machine to a <acronym>LAN</acronym> client.
210/5080
Context English Chinese (Simplified) (zh_CN) State
ipfw disable one_pass
ipfw -q nat 1 config if $pif same_ports unreg_only reset
ipfw disable one_pass
ipfw -q nat 1 config if $pif same_ports unreg_only reset
The inbound <acronym>NAT</acronym> rule is inserted <emphasis>after</emphasis> the two rules which allow all traffic on the trusted and loopback interfaces and after the reassemble rule but <emphasis>before</emphasis> the <literal>check-state</literal> rule. It is important that the rule number selected for this <acronym>NAT</acronym> rule, in this example <literal>100</literal>, is higher than the first three rules and lower than the <literal>check-state</literal> rule. Furthermore, because of the behavior of in-kernel <acronym>NAT</acronym> it is advised to place a reassemble rule just before the first <acronym>NAT</acronym> rule and after the rules that allow traffic on trusted interface. Normally, <acronym>IP</acronym> fragmentation should not happen, but when dealing with <acronym>IPSEC/ESP/GRE</acronym> tunneling traffic it might and the reassembling of fragments is necessary before handing the complete packet over to the in-kernel <acronym>NAT</acronym> facility. <acronym>NAT</acronym>入站规则插入在两个规则<emphasis>之后</emphasis>,这两个规则允许受信任和环回接口上的所有流量,在重新命名规则之后,但在<literal>检查状态</literal>规则<emphasis>之前</emphasis>。在本示例中为此<acronym>NAT</acronym>规则选择的规则编号(在此示例中为<literal>100)</literal>高于前三个规则,并且低于<literal>检查状态</literal>规则,这一点很重要。此外,由于内核内<acronym>NAT</acronym>的行为,建议在第一个<acronym>NAT</acronym>规则之前和允许在受信任接口上进行流量的规则之后放置一个可重新传输规则。通常<acronym>,IP</acronym>碎片不应发生,但在处理<acronym>IPSEC/ESP/GRE</acronym>隧道流量时,在将完整数据包移交给内核内<acronym>NAT</acronym>组件之前,可能需要重新组织片段。
The reassemble rule was not needed with userland <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry> because the internal workings of the <application>IPFW</application> <literal>divert</literal> action already takes care of reassembling packets before delivery to the socket as also stated in <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>. 用户态 <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry> 不需要重组规则,因为<application>IPFW</application> <literal>divert</literal>已经自动处理了这一点,如<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>中所述。
The <acronym>NAT</acronym> instance and rule number used in this example does not match with the default <acronym>NAT</acronym> instance and rule number created by <filename>rc.firewall</filename>. <filename>rc.firewall</filename> is a script that sets up the default firewall rules present in FreeBSD. 本例中使用的 <acronym>NAT</acronym> 实例和规则号与 <filename>rc.firewall</filename> 创建的默认 <acronym>NAT</acronym> 实例和规则号不匹配。<filename>rc.firewall</filename> 是 FreeBSD 的默认防火墙规则集。
$cmd 005 allow all from any to any via xl0 # exclude LAN traffic
$cmd 010 allow all from any to any via lo0 # exclude loopback traffic
$cmd 099 reass all from any to any in # reassemble inbound packets
$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets
# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 101 check-state
$cmd 005 allow all from any to any via xl0 # exclude LAN traffic
$cmd 010 allow all from any to any via lo0 # exclude loopback traffic
$cmd 099 reass all from any to any in # reassemble inbound packets
$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets
# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 101 check-state
The outbound rules are modified to replace the <literal>allow</literal> action with the <literal>$skip</literal> variable, indicating that rule processing will continue at rule <literal>1000</literal>. The seven <literal>tcp</literal> rules have been replaced by rule <literal>125</literal> as the <literal>$good_tcpo</literal> variable contains the seven allowed outbound ports. 修改出站规则,将<literal>allow</literal>替换为<literal>$skip</literal>,指示规则处理将在<literal>1000</literal>规则中继续进行。七个<literal>tcp</literal>规则已被<literal>125</literal>规则替换,因为<literal>$good_tcpo</literal>变量包含七个允许的出站端口。
Remember that <application>IPFW</application>'s performance is largely determined by the number of rules present in the ruleset. 请记住,<application>IPFW</application>的性能很大程度上取决于规则集中的规则数。
# Authorized outbound packets
$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks
$cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
# Authorized outbound packets
$cmd 120 $skip udp from any to x.x.x.x 53 out via $pif $ks
$cmd 121 $skip udp from any to x.x.x.x 67 out via $pif $ks
$cmd 125 $skip tcp from any to any $good_tcpo out via $pif setup $ks
$cmd 130 $skip icmp from any to any out via $pif $ks
The inbound rules remain the same, except for the very last rule which removes the <literal>via $pif</literal> in order to catch both inbound and outbound rules. The <acronym>NAT</acronym> rule must follow this last outbound rule, must have a higher number than that last rule, and the rule number must be referenced by the <literal>skipto</literal> action. In this ruleset, rule number <literal>1000</literal> handles passing all packets to our configured instance for <acronym>NAT</acronym> processing. The next rule allows any packet which has undergone <acronym>NAT</acronym> processing to pass. 入站规则保持不变,除了最后一条规则,它去掉了<literal>via $pif</literal>,以便同时抓住入站和出站规则。<acronym>NAT</acronym>规则必须跟在这最后一条出站规则之后,必须有一个比最后一条规则更高的编号,而且规则编号必须由<literal>skipto</literal>操作引用。在这个规则集中,规则号<literal>1000</literal>将所有数据包传给我们配置的<acronym>NAT</acronym>实例进行处理。下一条规则允许任何经过<acronym>NAT</acronym>处理的数据包通过。
$cmd 999 deny log all from any to any
$cmd 1000 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules
$cmd 1001 allow ip from any to any
$cmd 999 deny log all from any to any
$cmd 1000 nat 1 ip from any to any out via $pif # skipto location for outbound stateful rules
$cmd 1001 allow ip from any to any
In this example, rules <literal>100</literal>, <literal>101</literal>, <literal>125</literal>, <literal>1000</literal>, and <literal>1001</literal> control the address translation of the outbound and inbound packets so that the entries in the dynamic state table always register the private <acronym>LAN</acronym> <acronym>IP</acronym> address. 本例中,规则<literal>100</literal>、<literal>101</literal>、<literal>125</literal>、<literal>1000</literal>、和<literal>1001</literal>控制出站包和入站包的地址转换,这样动态状态表中的条目总是注册私有的<acronym>LAN</acronym> <acronym>IP</acronym>地址。
Consider an internal web browser which initializes a new outbound <acronym>HTTP</acronym> session over port 80. When the first outbound packet enters the firewall, it does not match rule <literal>100</literal> because it is headed out rather than in. It passes rule <literal>101</literal> because this is the first packet and it has not been posted to the dynamic state table yet. The packet finally matches rule <literal>125</literal> as it is outbound on an allowed port and has a source <acronym>IP</acronym> address from the internal <acronym>LAN</acronym>. On matching this rule, two actions take place. First, the <literal>keep-state</literal> action adds an entry to the dynamic state table and the specified action, <literal>skipto rule 1000</literal>, is executed. Next, the packet undergoes <acronym>NAT</acronym> and is sent out to the Internet. This packet makes its way to the destination web server, where a response packet is generated and sent back. This new packet enters the top of the ruleset. It matches rule <literal>100</literal> and has its destination <acronym>IP</acronym> address mapped back to the original internal address. It then is processed by the <literal>check-state</literal> rule, is found in the table as an existing session, and is released to the <acronym>LAN</acronym>. 考虑一个内部web浏览器,它通过端口80初始化一个新的出站<acronym>HTTP</acronym>会话。当第一个出站数据包进入防火墙时,它与规则<literal>100</literal>不匹配,因为它是向外而不是向内的。它通过了规则<literal>101</literal>,因为这是第一个数据包,它还没有被发送到动态状态表。数据包最终与规则<literal>125</literal>匹配,因为它是在允许的端口上出站的,并且具有来自内部<acronym>LAN</acronym>的源<acronym>IP</acronym>地址。匹配此规则时,将执行两个操作。首先,<literal>keep-state</literal>操作向动态状态表添加一个条目,然后执行指定的操作<literal>skipto rule 1000</literal>。接下来,包经过<acronym>NAT</acronym>并发送到 Internet。此数据包将被发送到目标 web 服务器,在那里生成并发送响应数据包。这个新包进入规则集的顶部。它匹配规则<literal>100</literal>,并将其目标<acronym>IP</acronym>地址映射回原始内部地址。然后由检查状态规则处理,在表中被发现为现有会话,并被释放到<acronym>LAN</acronym>。
On the inbound side, the ruleset has to deny bad packets and allow only authorized services. A packet which matches an inbound rule is posted to the dynamic state table and the packet is released to the <acronym>LAN</acronym>. The packet generated as a response is recognized by the <literal>check-state</literal> rule as belonging to an existing session. It is then sent to rule <literal>1000</literal> to undergo <acronym>NAT</acronym> before being released to the outbound interface. 在入站端,规则集必须拒绝错误数据包,并且仅允许已授权的服务通过。与入站规则匹配的数据包将发布到动态状态表,数据包被释放到<acronym>LAN</acronym>。作为响应生成的数据包被<literal>check-state</literal>规则识别为属于现有会话。然后,它发送到规则<literal>1000</literal>以进行<acronym>NAT</acronym>,然后再释放到出站接口。
Transitioning from userland <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry> to in-kernel <acronym>NAT</acronym> might seem seamless at first but there is small catch. When using the GENERIC kernel, <application>IPFW</application> will load the <filename>libalias.ko</filename> kernel module, when <literal>firewall_nat_enable</literal> is enabled in <filename>rc.conf</filename>. The <filename>libalias.ko</filename> kernel module only provides basic <acronym>NAT</acronym> functionality, whereas the userland implementation <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry> has all <acronym>NAT</acronym> functionality available in its userland library without any extra configuration. All functionality refers to the following kernel modules that can additionally be loaded when needed besides the standard <filename>libalias.ko</filename> kernel module: <filename>alias_cuseeme.ko</filename>, <filename>alias_ftp.ko</filename>, <filename>alias_bbt.ko</filename>, <filename>skinny.ko</filename>, <filename>irc.ko</filename>, <filename>alias_pptp.ko</filename> and <filename>alias_smedia.ko</filename> using the <literal>kld_list</literal> directive in <filename>rc.conf</filename>. If a custom kernel is used, the full functionality of the userland library can be compiled in, in the kernel, using the <option>options LIBALIAS</option>. 从用户态<citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>到 in-kernel <acronym>NAT</acronym>的过渡最初可能看起来是无缝的,不过这是小问题。使用 GENERIC 内核时,<application>IPFW</application>将加载<filename>libalias.ko</filename>内核模块,当<filename>rc.conf</filename>中的<literal>firewall_nat_enable</literal>启用时。<filename>libalias.ko</filename>模块只提供基本的<acronym>NAT</acronym>功能,而 userland 实现<citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>具有所有可用的功能,而无需从其用户库进行任何额外的配置。所有功能都是指在标准<filename>libalias.ko</filename>内核模块之外,在需要时可以额外加载的以下内核模块:<filename>alias_cuseeme.ko</filename>,<filename>alias_ftp.ko</filename>,<filename>alias_bbt.ko</filename>,<filename>skinny.ko</filename>,<filename>irc.ko</filename>,<filename>alias_pptp.ko</filename>,<filename>alias_smedia.ko</filename>使用<filename>rc.conf</filename>中的 <literal>kld_list</literal>。如果使用自定义内核,则可以使用<option>option LIBALIAS</option>。
Port Redirection 端口重定向
The drawback with <acronym>NAT</acronym> in general is that the <acronym>LAN</acronym> clients are not accessible from the Internet. Clients on the <acronym>LAN</acronym> can make outgoing connections to the world but cannot receive incoming ones. This presents a problem if trying to run Internet services on one of the <acronym>LAN</acronym> client machines. A simple way around this is to redirect selected Internet ports on the <acronym>NAT</acronym> providing machine to a <acronym>LAN</acronym> client. <acronym>NAT</acronym>有个缺点:无法从 Internet 访问<acronym>LAN</acronym>客户端。<acronym>LAN</acronym>可以向 Internet 发出连接,但不能接收传入连接。如果尝试在其中一台<acronym>LAN</acronym>客户端计算机上运行 Internet 服务,则这会带来问题。解决方法是将 NAT 上的端口重定向到 LAN 中的计算机上。
For example, an <acronym>IRC</acronym> server runs on client <systemitem>A</systemitem> and a web server runs on client <systemitem>B</systemitem>. For this to work properly, connections received on ports 6667 (<acronym>IRC</acronym>) and 80 (<acronym>HTTP</acronym>) must be redirected to the respective machines. 例如例如:在客户端 <systemitem>A</systemitem> 上运行 IRC 服务,而在客户端 <systemitem>B</systemitem> 上运行 web 服务。 想要正确的工作,在端口 6667 (IRC) 和 80 (web) 上接收到的连接就必须重定向到相应的机子上。
With in-kernel <acronym>NAT</acronym> all configuration is done in the <acronym>NAT</acronym> instance configuration. For a full list of options that an in-kernel <acronym>NAT</acronym> instance can use, consult <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>. The <application>IPFW</application> syntax follows the syntax of <application>natd</application>. The syntax for <option>redirect_port</option> is as follows: 使用 in-kernel <acronym>NAT</acronym>,所有配置都在<acronym>NAT</acronym>实例配置中完成。有关内核内<acronym>NAT</acronym>实例可以使用的选项的完整列表,请参阅<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>。<application>IPFW</application>语法遵循<application>natd</application>的语法。<option>redirect_port</option>的语法如下所示:
redirect_port proto targetIP:targetPORT[-targetPORT]
[aliasIP:]aliasPORT[-aliasPORT]
[remoteIP[:remotePORT[-remotePORT]]]
redirect_port proto targetIP:targetPORT[-targetPORT]
[aliasIP:]aliasPORT[-aliasPORT]
[remoteIP[:remotePORT[-remotePORT]]]
To configure the above example setup, the arguments should be: 要配置上述示例设置,参数应为:
redirect_port tcp 192.168.0.2:6667 6667
redirect_port tcp 192.168.0.3:80 80
redirect_port tcp 192.168.0.2:6667 6667
redirect_port tcp 192.168.0.3:80 80
After adding these arguments to the configuration of <acronym>NAT</acronym> instance 1 in the above ruleset, the <acronym>TCP</acronym> ports will be port forwarded to the <acronym>LAN</acronym> client machines running the <acronym>IRC</acronym> and <acronym>HTTP</acronym> services. 在上述规则集中将这些参数添加到<acronym>NAT</acronym>实例 1 的配置后,<acronym>TCP</acronym>端口将端口转发到运行<acronym>IRC</acronym>和<acronym>HTTP</acronym>服务的<acronym>LAN</acronym>客户端计算机。
ipfw -q nat 1 config if $pif same_ports unreg_only reset \
redirect_port tcp 192.168.0.2:6667 6667 \
redirect_port tcp 192.168.0.3:80 80
ipfw -q nat 1 config if $pif same_ports unreg_only reset \
redirect_port tcp 192.168.0.2:6667 6667 \
redirect_port tcp 192.168.0.3:80 80
Port ranges over individual ports can be indicated with <option>redirect_port</option>. For example, <replaceable>tcp 192.168.0.2:2000-3000 2000-3000</replaceable> would redirect all connections received on ports 2000 to 3000 to ports 2000 to 3000 on client <systemitem>A</systemitem>. <option>-redirect_port</option> 参数可以用来指出端口范围来代替单个端口。例如, <replaceable>tcp 192.168.0.2:2000-3000 2000-3000</replaceable> 就会把所有在端口 2000 到 3000 上接收到的连接重定向到主机 <systemitem>A</systemitem> 上的端口 2000 到 3000。
Address Redirection 地址重定向
Address redirection is useful if more than one <acronym>IP</acronym> address is available. Each <acronym>LAN</acronym> client can be assigned its own external <acronym>IP</acronym> address by <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>, which will then rewrite outgoing packets from the <acronym>LAN</acronym> clients with the proper external <acronym>IP</acronym> address and redirects all traffic incoming on that particular <acronym>IP</acronym> address back to the specific <acronym>LAN</acronym> client. This is also known as static <acronym>NAT</acronym>. For example, if <acronym>IP</acronym> addresses <systemitem class="ipaddress">128.1.1.1</systemitem>, <systemitem class="ipaddress">128.1.1.2</systemitem>, and <systemitem class="ipaddress">128.1.1.3</systemitem> are available, <systemitem class="ipaddress">128.1.1.1</systemitem> can be used as the <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry> machine's external <acronym>IP</acronym> address, while <systemitem class="ipaddress">128.1.1.2</systemitem> and <systemitem class="ipaddress">128.1.1.3</systemitem> are forwarded back to <acronym>LAN</acronym> clients <systemitem>A</systemitem> and <systemitem>B</systemitem>. 如果有多个可用<acronym>IP</acronym>地址,则地址重定向非常有用。每个<acronym>LAN</acronym>客户端可以通过<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>为其自己分配外部<acronym>IP</acronym>地址,然后它将用适当的外部<acronym>IP</acronym>地址重写来自<acronym>LAN</acronym>客户端的传出数据包,并将该特定<acronym>IP</acronym>地址上传入的所有流量重定向回特定的<acronym>LAN</acronym>客户端。这也称为静态<acronym>NAT</acronym>。例如,如果<acronym>IP</acronym>地址<systemitem class="ipaddress">128.1.1.1</systemitem>,<systemitem class="ipaddress">128.1.1.2</systemitem>和<systemitem class="ipaddress">128.1.1.3</systemitem>可用,则<systemitem class="ipaddress">128.1.1.1</systemitem>可用作<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>计算机的外部<acronym>IP</acronym>地址,而<systemitem class="ipaddress">128.1.1.2</systemitem>和<systemitem class="ipaddress">128.1.1.3</systemitem>可分配给<systemitem>A</systemitem> 和 <systemitem>B</systemitem>。
The <option>redirect_address</option> syntax is as below, where <literal>localIP</literal> is the internal <acronym>IP</acronym> address of the <acronym>LAN</acronym> client, and <literal>publicIP</literal> the external <acronym>IP</acronym> address corresponding to the <acronym>LAN</acronym> client. <option>redirect_address</option>语法如下所示。<literal>localIP</literal>是<acronym>LAN</acronym>客户端的内部<acronym>IP</acronym>地址。<literal>publicIP</literal>是<acronym>LAN</acronym>客户端对应的外部<acronym>IP</acronym>地址。
redirect_address localIP publicIP redirect_address localIP publicIP
In the example, the arguments would read: 在此示例中,参数效果等同于:
redirect_address 192.168.0.2 128.1.1.2
redirect_address 192.168.0.3 128.1.1.3
redirect_address 192.168.0.2 128.1.1.2
redirect_address 192.168.0.3 128.1.1.3
Like <option>redirect_port</option>, these arguments are placed in a <acronym>NAT</acronym> instance configuration. With address redirection, there is no need for port redirection, as all data received on a particular <acronym>IP</acronym> address is redirected. 象 <option>-redirect_port</option> 一样,这些参数也是放在 <acronym>NAT</acronym>实例的配置文件里。使用地址重定向, 就没有必要用端口重定向了,因为所有在某个 IP 地址上收到的数据都被重定向了。

Loading…

The drawback with <acronym>NAT</acronym> in general is that the <acronym>LAN</acronym> clients are not accessible from the Internet. Clients on the <acronym>LAN</acronym> can make outgoing connections to the world but cannot receive incoming ones. This presents a problem if trying to run Internet services on one of the <acronym>LAN</acronym> client machines. A simple way around this is to redirect selected Internet ports on the <acronym>NAT</acronym> providing machine to a <acronym>LAN</acronym> client.
<acronym>NAT</acronym>有个缺点:无法从 Internet 访问<acronym>LAN</acronym>客户端。<acronym>LAN</acronym>可以向 Internet 发出连接,但不能接收传入连接。如果尝试在其中一台<acronym>LAN</acronym>客户端计算机上运行 Internet 服务,则这会带来问题。解决方法是将 NAT 上的端口重定向到 LAN 中的计算机上。
10 months ago
Browse all component changes

Things to check

XML markup

XML tags in translation do not match source

Reset

Glossary

English Chinese (Simplified) (zh_CN)
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: sect3/para
Source string location
book.translate.xml:60291
String age
a year ago
Source string age
a year ago
Translation file
books/zh_CN/handbook.po, string 9887