NAT和SNAT

在Kubernetes负载均衡的方案中遇到了SNAT的问题,查资料把SNAT和NAT的大意了解一下

详细信息可以直接访问

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-routing-administration-11-6-0/7.html

A SNAT is similar to a NAT, except for the differences listed in this table.

NATs SNATs
You can map only one original address to a translation address. You can map multiple original addresses to a single translation address. You can even map all node addresses on your network to a single public IP address, in a single SNAT object.
All ports on the internal node are open. By default, SNATs support UDP and TCP only. This makes a SNAT more secure than a NAT.
Local Traffic Manager does not track NAT connections. Local Traffic Manager tracks SNAT connections, which, in turn, allows SNATs and virtual servers to use the same public IP addresses.
You must explicitly enable a NAT on the internal VLAN where the internal node’s traffic arrives on the BIG-IP system. By default, a SNAT that you create is enabled on all VLANs.

About NATs

In some cases, you might want to allow a client on an external network to send a request directly to a specific internal node (thus bypassing the normal load balancing server selection). To send a request directly to an internal server, a client normally needs to know the internal node’s IP address, which is typically a private class IP address. Because private class IP addresses are non-routable, you can instead create a network translation address (NAT). A NAT is a feature of BIG-IP Local Traffic Managerthat provides a routable IP address that an external node can use to send traffic to, or receive traffic from, an internal node.

More specifically, a NAT is an address translation object that instructs Local Traffic Manager (LTM) to translate one IP address in a packet header to another IP address. A NAT consists of a one-to-one mapping of a public IP address to an internal private class IP address.

You can use a NAT in two different ways:

To translate a private class destination address to a public address
When an external node sends traffic to the public IP address defined in a NAT, Local Traffic Manager automatically translates that destination address to the associated private class IP address, which represents a specific node on the internal network. This translation is hidden from the external node that sent the traffic.
To translate a private class source address to a public address
You can also use a NAT to translate an internal node’s private class source IP address to a public IP address. This translation is hidden from the external node that receives the traffic.

To summarize, a NAT provides a routable address for sending packets to or from a node that has a private class IP address.

When you create a NAT, you can map only one private class IP address to a specific public IP address. That is, a NAT always represents a one-to-one mapping between a private class IP address and a public IP address. If you want to map more than one private class IP address (that is, multiple internal nodes) to a single public IP address, you can create a SNAT instead.

Note: NATs do not support port translation, and are not appropriate for protocols that embed IP addresses in the packet, such as FTP, NT Domain, or CORBA IIOP.

Tip: When you use a NAT to provide access to an internal node, all ports on that internal node are open. To mitigate this security risk, consider using a SNAT instead.

Local Traffic Manager can apply a NAT to either an inbound or an outbound connection.

About SNATs

When you need to ensure that server responses always return through the BIG-IP system, or when you want to hide the source addresses of server-initiated requests from external devices, you can implement a SNAT.

A secure network address translation (SNAT) is a BIG-IP Local Traffic Manager feature that translates the source IP address within a connection to a BIG-IP system IP address that you define. The destination node then uses that new source address as its destination address when responding to the request.

For inbound connections, that is, connections initiated by a client node, SNATs ensure that server nodes always send responses back through the BIG-IP system, when the server’s default route would not normally do so. Because a SNAT causes the server to send the response back through the BIG-IP system, the client sees that the response came from the address to which the client sent the request, and consequently accepts the response.

For outbound connections, that is, connections initiated by a server node, SNATs ensure that the internal IP address of the server node remains hidden to an external host when the server initiates a connection to that host.

Important: F5 recommends that before implementing a SNAT, you understand NATs.

原文地址:https://www.cnblogs.com/ericnie/p/9009839.html

时间: 2024-10-11 18:05:43

NAT和SNAT的相关文章

iptables 垫脚石之 NAT DNAT SNAT 代理 深度理解

NAT: SNAT:内网主机访问外网的时候,当外网主机响应的时候路由无法识别源地址,因此需要做源地址转换, 其实,当响应的时候,源地址已经变为目标地址,因此路由也做了DNAT,源地址转换可以隐藏内 网主机,因此,最早是设计来保证内网主机的安全的,但是后来,作为了ipv4公网地址不够用的完 美解决办法,因此,除了安全,还是实现内网中的私网地址通过一个公网地址上网的功能. 其实,做SNAT的时候,可以通过修改公网服务器主机的路由网关,把自己的网关指向路由服务器 的网关也可. DNAT:把内网主机扮作

iptable filter nat MASQUERADE snat dat

在这里,系统会根据IP数据包中的destination ip address中的IP地址对数据包进行分发.如果destination ip adress是本机地址,数据将会被转交给INPUT链.如果不是本机地址,则交给FORWARD链检测. 这也就是说,我们要做的DNAT要在进入这个菱形转发区域之前,也就是在PREROUTING链中做, 比如我们要把访问202.103.96.112的访问转发到192.168.0.112上: iptables -t nat -A PREROUTING -d 202

[daily][network] NAT原理(转)

写在转发之前: 一直以来,我一直有一个疑惑,SNAT的时候,如果两个内网主机恰巧使用了相同的源端口号该怎么办呢? 我自己猜测的方法是改掉一个端口号,把端口一起映射(当然还有另一个设想,就是把包同时广播给两个主机,但这会引发安全问题,给黑客留下方便,pass).然后问题来了,如果某一种特定的服务,双方约定了各自的端口号,对端服务会检查源端口又该怎么办呢? 在这篇文章中提及了这个问题,并给出了我解答,他的解答是,这是NAT存在的固有缺陷.所以一个成熟的开发者,要考虑这个世界上好多人都没有公网IP,要

Linux netfilter 学习笔记 之十二 ip层netfilter的NAT模块代码分析

本节主要是分析NAT模块相关的hook函数与target函数,主要是理清NAT模块实现的原理等. 1.NAT相关的hook函数分析 NAT模块主要是在NF_IP_PREROUTING.NF_IP_POSTROUTING.NF_IP_LOCAL_OUT.NF_IP_LOCAL_IN四个节点上进行NAT操作,在上一节中我们知道nat表中只有PREROUTING.POSTROUTING.LOCAL_OUT三条链,而没有NF_IP_LOCAL_IN链,所以不能创建在LOCAL_IN hook点的SNAT

NAT基本原理及应用

1 概述 1.1 简介 1.1.1 名词解释 公有IP地址:也叫全局地址,是指合法的IP地址,它是由NIC(网络信息中心)或者ISP(网络服务提供商)分配的地址,对外代表一个或多个内部局部地址,是全球统一的可寻 址的地址. 私有IP地址:也叫内部地址,属于非注册地址,专门为组织机构内部使用.因特网分配编号委员会(IANA)保留了3块IP地址做为私有IP地址: 10.0.0.0 ——— 10.255.255.255 172.16.0.0——— 172.16.255.255 192.168.0.0—

网络地址转换NAT原理解析

1 概述 1.1 简介 NAT英文全称是“Network Address Translation”,中文意思是“网络地址转换”,它是一个IETF(Internet Engineering Task Force, Internet工程任务组)标准,允许一个整体机构以一个公用IP(Internet Protocol)地址出现在Internet上.顾名思义,它是一种把内部私有网络地址(IP地址)翻译成合法网络IP地址的技术.因此我们可以认为,NAT在一定程度上,能够有效的解决公网地址不足的问题. 1.

NAT技术与代理服务器

一.NAT技术介绍 1.概念 NAT英文全称是"Network Address Translation",中文意思是"网络地址转换",它是一个IETF(Internet Engineering Task Force, Internet工程任务组)标准,允许一个整体机构以一个公用IP(Internet Protocol)地址出现在Internet上.顾名思义,它是一种把内部私有网络地址(IP地址)转换成合法公有网络IP地址的技术,当在专用网内部的一些主机本来已经分配到

防火墙、Iptables、netfilter/iptables、NAT 概述

防火墙.Iptables.netfilter/iptables.NAT 概述 - 如果你真的想做一件事,你一定会找到方法: 如果你不想做一件事,你一定会找到借口. - ITeye技术网站 一.防火墙的简介 防火墙是指设置在不同网络或网络安全域之间的一系列部件的组合,它能增强机构内部网络的安全性.它通过访问控制机制,确定哪些内部服务允许外部访问,以及 允许哪些外部请求可以访问内部服务.它可以根据网络传输的类型决定IP包是否可以传进或传出内部网 防火墙通过审查经过的每一个数据包,判断它是否有相匹配的

网络知识--网络地址转换NAT原理及其作用

1 概述 1.1 简介 NAT英文全称是"Network Address Translation",中文意思是"网络地址转换",它是一个IETF(Internet Engineering Task Force, Internet工程任务组)标准,允许一个整体机构以一个公用IP(Internet Protocol)地址出现在Internet上.顾名思义,它是一种把内部私有网络地址(IP地址)翻译成合法网络IP地址的技术.因此我们可以认为,NAT在一定程度上,能够有效的