  Linux 2.4 NAT HOWTO
  Rusty Russell, mailing list netfilter@lists.samba.org
  $Revision: 1.18 $ $Date: 2002/01/14 09:35:13 $
  {Fyomoyomo (ymgrtq@ma.neweb.ne.jp)
  v1.18j 2002 N 02  01 

  ́̕A2.4 n Linux J[lɂAIP }XJ[hA߃vN
  VA|[gtH[fBÓAlbg[NAhXϊ̓ɂ
  Lq̂łB <http://netfilter.filewatcher.org/unreliable-
  guides/NAT-HOWTO/index.html> ɂ܂B
  ______________________________________________________________________

  ڎ

  1. ͂߂
  2. EFuTCg⃁[OXg͂ǂɂ܂H
     2.1 lbg[NAhXϊƂ͉łH
     2.2 ǂ NAT KvȂ̂łH

  3. NAT ̓̃^Cv
  4. 2.0A2.2nJ[l̎葁ڍs
     4.1 l IP }XJ[hgȂłI āI
     4.2 ipmasqadm ͂ǂ́H

  5.  NAT s𐧌䂷
     5.1 iptables 𗘗pPȑI
     5.2 ǂ̃pPbg𗿗邩I錫|Cg

  6. pPbg̗@̉
     6.1 M NAT
        6.1.1 IP }XJ[h
     6.2  NAT
        6.2.1 _CNV
     6.3 ˂񂾃}bsO
        6.3.1 ͈͂̃̕AhX̑I
        6.3.2 NAT sgp}bsO̐
        6.3.3 WI NAT ̓
        6.3.4 Öق̑M|[g}bsO
        6.3.5 NAT sƉN邩
        6.3.6 ̃}bsOAdAďՓ
        6.3.7 [JɐꂽRlNV̈̕ύX

  7. ȃvgR
  8. NAT Ɋւ钍
  9. M NAT ƃ[eBO
  10. lbg[Nł̈ NAT
  11. ӎ

  ______________________________________________________________________

  1.  ͂߂

  ǎ҂̊FA悤B

  Ȃ͍܂ NATiNetwork Address TranslationFlbg[NAh
  Xϊj̖͓IȁiĎɂƂ悤ȁjET悤Ƃ
  Ă܂B HOWTO ́A2.4 nȍ~ Linux J[lɊւImȎ
  ƂȂł傤B

  Linux 2.4 ɂāA`netfilter' Ƃ̂́ApPbg𗿗Ղ
  ܂B̏㕔̃C[ NAT @\񋟂AȑÕo[
  W̃J[lł NAT SɍĎ܂B
  (C) 2000 Paul `Rusty' Russell.  Licensed under the GNU GPL.

  2.  EFuTCg⃁[OXg͂ǂɂ܂H

  O̌TCg܂F

  o  Filewatcher <http://netfilter.filewatcher.org/> ɊӁB

  o  Samba `[ SGI <http://netfilter.samba.org/> ɊӁB

  o  Harald Welte <http://netfilter.gnumonks.org/> ɊӁB

  <http://www.netfilter.org/>   <http://www.iptables.org/> oRŃE
  hr DNS 𗘗pāAɋTCĝׂĂɃANZXł
  B

   netfilter ̃[OXgɊւẮA netfilter List
  <http://lists.samba.org/>QƂB

  2.1.  lbg[NAhXϊƂ͉łH

  ʏAlbg[ÑpPbǵAMiFƂɂRs[^j
  父iFwww.gnumonks.orgj܂ŁÂ낢ȃNiI[X
  gA̖l̂Ƃ납炾 19 炢jʂē͂܂B
  ŃApPbg̒gς͂܂B֑M邾
  B

  ̃N̂ǂꂩ NAT sƂƁApPbgʉ߂邽
  ɁȂM邱ƂɂȂ܂Bł傤A
  ̓VXe{ŝɖ]܂ł͂ȂA] NAT ͏ɂ
  Ȃ̖҂Ȃ̂łBʂ NAT sŃApPbgǂ̂悤
  ̂oĂ̂ŁAΕ烊vC̃pPbgԂĂ
  Ƃɂ́ÃpPbgɍsƔ΂̑sAőSĂ肭
  킯łB

  2.2.  ǂ NAT KvȂ̂łH

  SȐEKvȂł傤BKvȎ傽鍪ƂẮF

     C^[lbgւ̃fڑ
         ISP ́A_CAbvɒP IP AhXt^
        BD݂̑MAhXăpPbg𑗏o邱Ƃ\
        A ISP t^ꂽ IP AhX𑗐MAhXƂp
        Pbgɑ΂ĂvC͓͂܂B̃}Viz[
        lbg[NȂǂŁj̃NʂăC^[lbgɐڑ
        ̂łA NAT KvɂȂ܂B

        ꂪ NAT ̗p@ƂčłʓIȂ̂ŁALinux Eł
        uIP }XJ[hvƂĒmĂ܂B͍ŏɑo
        pPbg̑MAhXϊ̂Ȃ̂ŁAl͂ SNAT 
        Ăł܂B

     ̃T[o
        ȂǗĂlbg[NẴpPbgɂāA̍s
        ύXƂ܂B͑iL̒ʂj
        IP AhXĂȂŁAł́u{́vIP AhX
         NAT {bNX̔wɂ[ɂ܂œ悤ɂ̂
        BĂpPbg̈΁A邱Ƃ
        ł܂B̎ NAT ́ALinux ̈ȑÕo[Wł̓|[g
        tH[fBOƌĂ΂Ă܂B

        ̈ʓIȃoG[VƂĕוUA͂
        ̃}VQɑ΂ă}bsO{ApPbg̃}VɐU
        蕪܂BȂȂ̋K͂ōsĂȂAȉ
        ̃y[WKv邩܂B

        Linux Virtual Server <http://linuxvirtualserver.org/>

     ߃vNV
        Linux {bNXʉ߂pPbgA Linux {bNXgɌ
        pPbgł邩̂悤ɌƂ܂B͓
        ߃vNV\z邱ƂŎ܂ |vNV́Albg
        [NƊOE̊ԂɗvOŁAꂽ̃lbg[N
        qŒʐMł悤ɂ܂B߂ƌĂ΂̂́Albg
        [N̓vNVƒʐMĂ邱ƂɂCtȂłB
        AvNVƓ삵Ă΁A̘błB

        Squid ͂̂悤ɓ삷悤ɐݒ\ŁALinux ̈ȑÕo[
        Wł̓_CNVƂ߃vNVƂĂ΂Ă܂B

  3.  NAT ̓̃^Cv

  l NAT ̃^CvɕĂ܂ |M (Source) NATiSNATj
   (Destination) NATiDNATjłB

  M NAT Ƃ́Aŏ̃pPbg̑MAhXϊ̂ŁA
  ̓RlNV̑M̂łBM NAT ͏Ƀ[eB
  ǑApPbgɂ̂钼Oɍs܂B IP }XJ[h
  ́ASNAT ̂łB

   NAT Ƃ́Aŏ̃pPbg̈ IP AhXϊ̂ŁA
  ̓RlNV̍ŝłB NAT ͏Ƀ[eB
  ȎOApPbgoƂɍs܂B|[gtH[
  fBOAוUAē߃vNV́AS DNAT Ɋ܂܂܂B

  4.  2.0A2.2nJ[l̎葁ڍs

  2.0 niipfwadmj 2.2 niipchainsjւ̈ڍšǂ𖢂Ă
  ɂ͐\󂠂܂񂪁Aǂj[Xƈj[X܂B

  ܂ɁA܂Œʂ ipchains  ipfwadm ̂܂܎g܂B
  ɂ́AŐV netfilter fBXgr[V̒́Aipchains.o 
   ipfwadm.o J[lW[gݍޕKv܂B
  ̃W[́imĂ̒ʂj݂ɔrIȂ̂ŁÂȂ
  netfilter W[ƂꏏɎgׂł͂܂B

  UW[gݍ܂΁A܂Œʂ ipchains  ipfwadm 
  pł܂Aȉ̑_܂F

  o  ipchains -M -S  ipfwadm -M -s Ń}XJ[h̃^CAEgݒ
     ĂӖ܂BƂ̂Ã^CAEgԂ͐V
      NAT ̓ŗpĂ^CAEg蒷̂ŁÃ^C
     AEgԂ͓Kp邱Ƃ܂B
  o  璷ȃ}XJ[hXgɂAinit_seq, delta, 
     previous_delta tB[h 0B

  o  `-Z -L' ŁAJE^̃[ƃXg\𓯎ɍsƂ͂ł܂
     
      |JE^ 0 ɂȂȂłB

  o  ʌ݊ĆÃRlNVɂ܂肤܂Ǐ]ł܂
     BȂ̉Ђ̃Q[gEFCɂ́A𗘗pȂłI

  nbJ[̐lB͈ȉ̂ƂɂӂĂF

  o  ݂́AIP }XJ[hĂĂA61000-65095 ԃ|[g bind 
     \łBȑO IP }XJ[h́A͈̔͂̃|[gL邱Ƃ
     ƍlčĂ̂ŁÃvOgƂ͂ł܂
     łB

  o  ihLgĂȂj`getsockname' nbNē߃v
     NVɗpARlNV̖{̈悪ǂł邩mƂƂ
     łȂȂ܂B

  o  ihLgĂȂjm̃AhXւ bind ̃nbL
     Oł܂B̎@͓߃vNV̍oɂ̂ɗp
     ܂B

  4.1.  l IP }XJ[hgȂłI āI

  ꂱ啔̐l߂̂ł傤B PPP _CAbvœI
   IP AhX蓖ĂĂ̂łiȂƂĂA
  ̂͂ȂĂ܂jAlbg[N̑SẴpPbgA PPP
  _CAbv{bNX̃pPbgł邩̂悤ɂ̂łB

       # Load the NAT module (this pulls in all the others).
       modprobe iptable_nat

       # In the NAT table (-t nat), Append a rule (-A) after routing
       # (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
       # MASQUERADE the connection (-j MASQUERADE).
       iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

       # Turn on IP forwarding
       echo 1 > /proc/sys/net/ipv4/ip_forward

  ł͑SpPbgtB^OĂȂƂɒӂĂBp
  PbgtB^OɊւẮAPacket Filtering HOWTO ̒́A
  uMixing NAT and Packet FilteringiNAT ƃpPbgtB^O̍
  jvQƂĂB

  4.2.  ipmasqadm ͂ǂ́H

  ͂Ɣ͈͂̋[Ux[X̂߂̂̂Ȃ̂ŁA̋@\Ɠ
  ǂɂ͉ʌ݊CɂĂ܂łB|[gtH[fBO
  ȂA`iptables -t nat' łĂł܂BłႦ Linux J[
  l 2.2 nłĂF

  # Linux 2.2
  # Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80
  ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80

  ̑ɍȂF

       # Linux 2.4
       # Append a rule before routing (-A PREROUTING) to the NAT table (-t nat) that
       # TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080)
       # have their destination mapped (-j DNAT) to 192.168.1.1, port 80
       # (--to 192.168.1.1:80).
       iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 \
               -j DNAT --to 192.168.1.1:80

  5.   NAT s𐧌䂷

  NAT sɂ́Aǂ̃RlNVɕϊAǂ̂悤ɕϊs
  ăJ[lɎw NAT [Kv܂B̍s
  ߁AƂĂZʂ iptables c[𗘗pA`-t nat' IvVw
  肷邱ƂŁANAT e[uύX悤w܂B

  NAT [̃e[úA`chains' ƌĂ΂Oނ̃XgȂ
  B̃[ɂĂAǂꂩK܂ŏɒׂ܂B
  ނ chain ɂ́APREROUTINGipPbgM邽тɁA NAT s
  ̂ɗpjA POSTROUTINGipPbg𑗐M邽тɁAM NAT
  ŝɗpj܂BOԖڂ̃Xg(OUTPUT)͂ł͖
  B

  lɂ炩łA[eBXeBbNȍ˔\A}͎Oނ
  chain ̂ɂȂłˁF

             _____                                     _____
            /     \                                   /     \
          PREROUTING -->[Routing ]----------------->POSTROUTING----->
            \D-NAT/     [Decision]                    \S-NAT/
                            |                            ^
                            |                            |
                            |                            |
                            |                            |
                            |                            |
                            |                            |
                            |                            |
                            --------> Local Process ------

  }̂ǂ̃|CgɂĂApPbgʉ߂ƁA֘ARlNV
  𒲂ׂ邱ƂɂȂ܂BꂪVRlNVȂ΁Aɂ
  sm邽߂ɁANAT e[u̒̊֘A`FC𒲂
  邱ƂɂȂ܂B瓾铚AYRlNV̈ȌS
  ̃pPbgɓKp܂B

  5.1.  iptables 𗘗pPȑI

  iptables ́Aȉɗ񋓂邽̕WIȃIvV𗘗p
  Biptables ʂ̗p\ȃIvVƋʉ\ł邤́Ad
  _bV '--' Ŏn܂IvVɂׂ͂ėw肪g܂B
  ̃}ṼJ[lW[Ƃ iptables T|[gĂ
  A܂ `insmod ip_tables'  ip_tables.o W[[hKv
  ܂B

  ōłdvȃIvV́Ae[uIIvVł `-t' łB
   NAT ̓ɊւāANAT e[u `-t nat' gƂɂȂ
  ł傤BԖڂɏdvȃIvV́A`FC̍ŌɐVȃ[
   `-A' IvViF`-A POSTROUTING'jA`FC̍ŏɃ[
  } `-I'IvViF`-I PREROUTING'jłB

  NAT spPbg̑Mi`-s'  `--source'j∶i`-d' 
  `--destination'jw\łB̃IvVɂ́AP IP A
  hXiF192.168.1.1jAOiFwww.gnumonks.orgjA̓lb
  g[NAhXiF192.168.1.0/24  192.168.1.0/255.255.255.0j
  ɑ܂B

  KMC^tF[Xi`-i'  `--in-interface'jMC^tF
  [Xi`-o'  `--out-interface'jw肷邱Ƃ\łAw\
  ǂ́A[悤Ƃ`FCɈˑ܂ \PREROUTING 
  ͎MC^tF[X̂ݑI\łAPOSTROUTING ł͑MC^tF
  [X̂ݑI\łBԈႤƁAiptables ̓G[o
  B

  5.2.  ǂ̃pPbg𗿗邩I錫|Cg

  MAhX∶AhXw\łƑOɏ܂BMA
  hXIvVȗꍇA鑗MAhXɂēKp
  ܂BAhXIvVȗꍇA鈶AhXɂ
  ēKp܂B

  TCP  UDP Ȃǂ̓̃vgŔA`-p'  `--protocol' Ŏw\
  ŁÃvgR̃pPbĝ݂ɑ΂ă[Kp܂B
  ȗŔATCP  UDP ƂvgRw肷邱ƂŁÃvg
  Rɑ΂IvVǉł邱Ƃɂ܂ |̓Iɂ́A
  `--source-port'  `--destination-port' IvVi`--sport' 
  `--dport' Əȗ\jłB

  ̃IvVɂȂMA|[gԍpPbg
  ݂̂[ɓK邱Ƃ\ɂȂ܂B̓EFuNGXg
  iTCP |[gԍ80Ԃ8080ԁj_CNgāÃpPbg𖳎
  ̂Ɏg܂B

  ̃IvV́A`-p' IvVĩvgRɊւ鋤LC
  ug[h镛pǰɑȂĂ͂Ȃ܂B|[
  gԍA /etc/services t@CɋLqꂽOgp\łB

  pPbgɑIł邠鐫A}jAiman iptablesjɂ
  ȂقǏڍׂɋLqĂ܂B

  6.  pPbg̗@̉

  ܂ł΁AׂpPbgIʂ@͕Ă܂B
  [SȂ̂ɂ邽߁ApPbgɑ΂ĂׂƂ𐳊mɃJ[l
  ɎwKv܂B

  6.1.  M NAT

  M NAT sƂƂ́AMAhXʂ̂̂ɕϊ
  ƂƂłB POSTROUTING `FĈƂŁAŏIIɃpPbg
  M钼Oɍs܂ |͏dvȓ_ŁAƂ̂ Linux {b
  NXg̏ōs鑼̂ǂȑi[eBOApPbgtB^
  OjApPbg͏ȂƂƂӖ邩łB͂
  A`-o' iMC^tF[XjIvVŎ\łƂƂ
  ܂B

  M NAT ́A`-j SNAT' gĎw肵A`--to-source' IvVɂ
  A IP AhXAIP AhX͈̔́AāiUDP, TCP vgR
  ̏ꍇ̂݁j̃|[gԍ|[gԍ͈̔͂w肵܂B

       ## Change source addresses to 1.2.3.4.
       # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

       ## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
       # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6

       ## Change source addresses to 1.2.3.4, ports 1-1023
       # iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023

  6.1.1.  IP }XJ[h

  IP }XJ[hƌĂ΂鑗M NAT ̓ȃP[X܂B́A
  WIȃ_CAbvڑȂǂ́AIP AhXIɊ蓖Ă
  ɂ̂ݗpׂ̂łiÓI IP AhX蓖ĂȂA
  L SNAT gĂjB

  IP }XJ[ĥɁAMAhX𖾎IɎw肷Kv͂
  ܂B IP }XJ[h́ApPbgočsC^tF[X̑MA
  hX𗘗p܂BłƏdvȂ̂́ÃNꍇɁA
  i؂Ă܂j̃RlNVYĂ܂ĂAV IP
  AhX蓖ĂăRlNVAƂɁAقƂǌ듮삪
  NȂƂƂłB

       ## Masquerade everything out ppp0.
       # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

  6.2.   NAT

   PREROUTING `FĈƂŁApPbgĂ̎ɍs
  ܂
   |́ALinux {bNXg̏ōs鑼̂ǂȑi[eB
  OApPbgtB^OjApPbg͂́u{́vwĂ
  ƂōsłB `-i'iMC^tF[XjIvV
  \łƂƂł܂B

   NAT ́A`-j DNAT' gĎw肵A`--to-destination' IvV
  A IP AhXAIP AhX͈̔́AāiUDP, TCP vgR
  ̏ꍇ̂݁j̃|[gԍ|[gԍ͈̔͂w肵܂B

       ## Change destination addresses to 5.6.7.8
       # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8

       ## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
       # iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10

       ## Change destination addresses of web traffic to 5.6.7.8, port 8080.
       # iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \
               -j DNAT --to 5.6.7.8:8080

  6.2.1.  _CNV

  _CNVƌĂ΂鈶 NAT ̓ȃP[X܂ |MC
  ^tF[X̃AhXւ DNAT ŝƑSʂAȒP֗
  ̂łB

       ## Send incoming port-80 web traffic to our squid (transparent) proxy
       # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
               -j REDIRECT --to-port 3128

  squid ߌ^vLVƂē삷悤ݒ肷Kv̂ɒӂ
  ƁI

  6.3.  ˂񂾃}bsO

  قƂǂ̐lɂ͑S֌WȂAIȃeNjbN NAT ɂ͂
  ܂Bł͍DS̋l̂߂ɃhLgĂ܂B

  6.3.1.  ͈͂̃̕AhX̑I

  ͈͂ IP AhX^Agp IP AhXÃ}V
  ʐMłŋߗpꂽ IP AhXƂɑI܂Bɂ
  茴nIȕגs܂B

  6.3.2.  NAT sgp}bsO̐

  S NAT pȂRlNV𒣂点wƂ `-j ACCEPT' 
  ܂B

  6.3.3.  WI NAT ̓

  ftHgł́A[Uɂė^ꂽ[̐ŁARlNV
  ̕ύXo菬ׂłB܂A̕KvȂ΁A|[
  gԍă}bsOĂ͂ȂȂƂƂłB

  6.3.4.  Öق̑M|[g}bsO

  ƂRlNV NAT ݒ肳ĂȂĂAɒꂽʂ
  RlNV̐VȃRlNVɃAhXdȂ悤Ƀ}bsO
  Ăꍇɂ́AM|[gϊÖق̂ɍs邱Ƃ
  B IP }XJ[h̃P[XlƁA͂ȂʓIȂƂłF

  1. IP AhX 192.1.1.1 ̒[ɂāAEFuRlNV|[
     g1024 Ԃ www.netscape.com ̃|[g80ԂɊmĂƂ
     B

  2. ̐ڑ̓}XJ[h{bNX̑M IP AhXi1.2.3.4jgp
     ă}XJ[hĂ܂B

  3. Ƀ}XJ[h{bNXgAiOC^tF[X IP AhX
     łj 1.2.3.4 ̃|[g 1024 ԂAwww.netscape.com ̃|[g 80
     ԂɃEFuRlNVm悤ƂƂ܂B

  4. ̎ NAT ̃R[h́AԖڂ̃RlNV̑M|[gԍ
     1025 Ԃɕς̂ŁA͏Փ˂܂B

  ̈Öق̑M}bsOɊւāA|[g͎O̃NXɕ
  F

  o  512Ԉȉ̃|[g

  o  512`1023Ԃ̃|[g

  o  1024Ԉȏ̃|[g

  ̃|[gƈقȂNX̃|[gɈÖق̂Ƀ}bsO邱Ƃ͌
  Ă܂B

  6.3.5.  NAT sƉN邩

  [UvRlNVӂɃ}bv邱ƂłȂꍇA
  ڑv͔p܂B܂ApPbg\ĂȂA
  NAT {bNX̃sĂȂǂ̗RŁAǂ̃RlNV̈ꕔ
  ƂނłȂpPbglɔj܂B

  6.3.6.  ̃}bsOAdAďՓ

  lXȃAhX𑮐ɂĂpPbgɑ΂āA̃AhX
  }bsO NAT [ݒ肷邱Ƃ͉\ł |NAT ̃R[h͏Փ
  悤ɎɏĂ܂B]āAMAhXƂ
  192.168.1.1  192.168.1.2 ̗ɑ΂ 1.2.3.4 }bvĂv
  łB

  Xɂ̓}bsO}Vʉ߂ȂƓBłȂAhXł
  ΁AۂɎgpĂ IP AhX̏ɏd˂ă}bsO邱Ƃl
  ɉ\łB܂C^[lbgp̃AhX (1.2.3.0/24) 蓖Ă
  Ă͂邪Aۂ̓lbg[N͂̃AhXƓ
  192.168.1.0/24 ̂ƃvCx[gEC^[lbgEAhXgĂ
  ƂĂA 192.168.1.0/24 ̃\[XAhX 1.2.3.0 ̃lbg[N
  PɃ}bsO邾ŁAՓ˂̋Ȃ NAT \łF

       # iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \
               -j SNAT --to 1.2.3.0/24

  ANAT {bNXgɂgpAhXɂĂ͂܂܂
   |ꂱ i}XJ[hpPbgƁA{bNXg痈u{
  ́vpPbg̊ԂŃC^tF[X̃AhXL邱ƂɂjIP
  }XJ[h̓Ȃ̂łB

  ̏ApPbg̈قȂ^[QbgɃ}bv\ŁÃ}b
  sO͋L܂BႦ΁AIP AhX 1.2.3.5 Ƀ}bsO
  Ȃꍇ́Aȉ̂悤ɂΉ\łF

       # iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \
               -j SNAT --to 1.2.3.0-1.2.3.4 --to 1.2.3.6-1.2.3.254

  6.3.7.  [JɐꂽRlNV̈̕ύX

  NAT ̃R[h́AOUTPUT `FC̒ DNAT [}邱Ƃ
  ܂AJ[l 2.4 ł͊Sɂ̓T|[gĂ܂ (\ł͂
  ̂łAVݒIvVAx̃eXgAĂȂ̃R[
  fBOKvɂȂ܂B͒N Rusty ɂ̂Ɛ
  ĂȂꍇ̘błAlƂẮAɂȂƂ͊҂
  ܂)B

  ݂鐧́A[J}VɂύXłȂƂ (:`j
  DNAT --to 127.0.0.1')Âǂ̃}VɂύXłAłȂƃv
  C]Ȃ̂łB

  7.  ȃvgR

  NAT ɂ͓KȂvgR݂܂BvgRɂẮA
  ̊gȂȂĂ͂Ȃ܂ |̃vgR̃RlNV
  ǐՂɊւgƁANAT ̂̂̊głB

  netfilter fBXgr[V̒ɂ́A FTP p̃W[
  |ip_conntrack_ftp.o  ip_nat_ftp.o ܂B̃W[
  J[lɑgݍ߂΁iȂ΃W[ł͂ȂJ[l̂ɑgݍ
  ߂΁jA FTP RlNVɑ΂Ăǂ̎ނ NAT gł܂B
  W[gݍ܂Ȃ΁ApbVu[hł FTP 𗘗pł
  񂵁APȑM NAT ȊOɉ悤ƂĂAmɓ삵Ă
  Ȃ܂B

  8.  NAT Ɋւ钍

  {̃RlNV NAT sꍇAilbg[N̒ց^
  lbg[N̊Oցj̑SẴpPbgANAT {bNXʉ߂Ȃ΂
  炸AłȂƊmɂ͓삵܂BɁARlNVǐՂsR
  [hfЉꂽpPbg̍č\sĂ邽߁ARlNVǐՂ
  smɂȂ邾ł͂ȂAfЉꂽpPbgSė܂Ă܂č\
  ꂸApPbgSʂȂȂĂ܂܂B

  9.  M NAT ƃ[eBO

  SNAT sꍇASNAT ꂽpPbg̈ɂȂǂ̃}VÃv
  C NAT {bNXɂƑԂ悤ɂ͂łBႦ΁A
  ̑MpPbgɑ΂āAMAhX 1.2.3.4 Ƀ}bsO
  sꍇ́ANAT {bNX̊Oɂ郋[^AvCEpPbg
  i悪 1.2.3.4jA NAT {bNXɑԂ悤ɂȂĂ͂Ȃ
  ܂B͈ȉ̂悤ȕ@Ŏ܂F

  1. i[eBOȂǏXɉғĂjNAT {bNXg̃Ah
     X SNAT }bsOĂȂAȂ͉Kv͂܂
     B

  2. [J LAN ŗpĂȂAhX SNAT }bsOȂ
     iႦ΁A1.2.3.0/24 lbg[NŁA IP AhXł
     1.2.3.99 Ƀ}bsOjANAT {bNX́Ag̃AhXɑ
      ARP NGXgɉÃ}bsOAhXɑ΂ ARP
     NGXgɂX|XԂKvoĂ܂Bsɂ́A
     ̗̂悤 IP alias 쐬̂łȒPȕ@łB

       # ip address add 1.2.3.99 dev eth0

  3. SقȂAhX SNAT }bsOȂASNAT ꂽpPbg
     M}VApPbg NAT {bNXɃ[eBO邱Ƃ
     Ȃ܂B́ANAT {bNXftHgEQ[gEFCɐݒ肳
     Ă΂̂܂܂ł܂܂AłȂ΁i[eBOE
     vgR𓮂ĂꍇjoHL邩AȂΊ֘A
     }VɌoH蓮ŒǉĂKv܂B

  10.  lbg[Nł̈ NAT

  lbg[N̒ʐMŃ|[gtH[fBOꍇAočsp
  PbgƖ߂ĂpPbg̗ NAT {bNXʉ߂
  iĂpPbg͓eɕύXj悤ɂKv
  BNAT ̃R[h͌݁i2.4.0-test6 ȍ~jA NAT ꂽpPbg
  Ă̂ƓC^tF[XɏočsۂɑM ICMP _CNg
  ubN܂AMT[óAivCFłȂjNC
  AgɒڃvC悤Ƃ܂B

  ̓T^Iȗ́Aɂ[Ȃ̂Ƃ̃lbg[NŁuO
  ɌJĂvEFuET[o[ɃANZX悤ƂꍇŁAۂɂ
  ȉ̂悤ȐݒɂApubNEAhXi1.2.3.4j̃}V
  i192.168.1.1j DNAT Ă܂܂B

       # iptables -t nat -A PREROUTING -d 1.2.3.4 \
               -p tcp --dport 80 -j DNAT --to 192.168.1.1

  ̈ƂāAJpEFuETCg̖{́ił́j IP Ah
  XmĂp DNS T[o𓮂AȊO̖Ov͑S
  Op DNS T[oɓ]悤ɂ@܂B܂AEFuE
  T[õOĂ݂΁Aɂ[ IP AhXL^
  Ă̂ł傤i󒍁Fɂ[EFuET[oւ
  pPbgA IP AhXϊ邱ƂȂANAT {bNXoRɁA
  ڃT[o֓͂ƂĂjB

  ʂ̂ƂẮARlNVɊւĂ͑M IP AhX
  NAT {bNXg IP AhXɃ}bv悤ɐݒ肵āAT[o
   NAT {bNXɃvCԂ悤ɂ@܂B̗
  ł́Aȉ̂悤ɐݒ肷邱ƂɂȂ܂iNAT {bNX̓ IP Ah
  XA192.168.1.250 Ɖ肵܂jF

       # iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \
               -p tcp --dport 80 -j SNAT --to 192.168.1.250

  PREROUTING [ŏɎŝŁAL[s鎞ɂ
  ɁApPbg͓̈ɂEFuET[oɌĂ܂Bǂ
  pPbg瑗oĂ邩́AM IP AhXɂ莯ʉ\
  łB

  11.  ӎ

  l netfilter ɎgłԁAnetfilter ̃ACfAMpĂ
  ĖlT|[gĂꂽAWatchGuard Ђ David Bonn ɂ܂ӂ
  B

   NAT ̏XɂĒm邽тɖl߂U炷̂ɉ䖝Ăꂽ
  ݂ȁAɖl̓L̓ǎ҂Ɋӂ܂B

  Rusty.

  Ҏӎ

  {{ɂāAȉ̕XEL̎wEĉ܂BS
  犴ӂ܂B

  o  office ioffice@office.acj

  o  Shiro Kawai ishiro@lava.netj

  o  iYRA05647@nifty.ne.jpj

  o  Litakei@webmasters.gr.jpj

  o  RX_Kih-yamamo@db3.so-net.ne.jpj

  o  imizuhara@acm.orgj

