源地址转换(SNAT)

SNAT（Source Network Address Translation，源网络地址转换）是一种网络地址转换技术，用于修改数据包的源 IP 地址

简单使用SNAT

目标：通过SNAT实现一台机子通过多个ip访问百度。

我这个里使用的使用Ubuntu 24.10。

查看当前网关，可以看到172.30.128.1和路由范围172.30.128.0/20。

root@root:~# ip route show
default via 172.30.128.1 dev eth0 proto dhcp src 172.30.136.11 metric 100 
172.30.128.0/20 dev eth0 proto kernel scope link src 172.30.136.11 metric 100 
172.30.128.1 dev eth0 proto dhcp scope link src 172.30.136.11 metric 100 

根据路由的范围，给Ubuntu添加2个IP，修改/etc/netplan/50-cloud-init.yaml文件如下：

network:
  version: 2
  ethernets:
    eth0:
      dhcp4: true
      addresses:
        - 172.30.132.100/24
        - 172.30.134.100/24

配置生效命令，注意可能会导致原本IP变，会导致SSH连不上。

netplan apply 

可以看到eth0多了2个IP

root@root:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:01:03:02 brd ff:ff:ff:ff:ff:ff
    inet 172.30.132.100/24 brd 172.30.132.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 172.30.134.100/24 brd 172.30.134.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 172.30.128.6/20 metric 100 brd 172.30.143.255 scope global dynamic eth0
       valid_lft 86146sec preferred_lft 86146sec
    inet6 fe80::215:5dff:fe01:302/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

通过解析百度域名，nslookup命令如下：

root@root:~# nslookup www.baidu.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	www.baidu.com
Address: 183.2.172.185
Name:	www.baidu.com
Address: 183.2.172.42
www.baidu.com	canonical name = www.a.shifen.com.
Name:	www.a.shifen.com
Address: 240e:ff:e020:9ae:0:ff:b014:8e8b
Name:	www.a.shifen.com
Address: 240e:ff:e020:966:0:ff:b042:f296

root@root:~# 

根据上面解析的IP，可以使用183.2.172.0/24来匹配百度，并且修改源地址。

table inet filter {
	chain POSTROUTING { 
		# 默认允许通过
		type nat hook postrouting priority 100; policy accept; 
		#  匹配目标地址，修改源地址
		ip daddr 183.2.172.0/24 snat ip to 172.30.134.100
	}  	
}

通过tcpdump抓包，可以看到源被修改成了172.30.134.100。

root@root:~# tcpdump -i any host www.baidu.com -n
tcpdump: WARNING: any: That device doesn't support promiscuous mode
(Promiscuous mode not supported on the "any" device)
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
14:20:39.021516 eth0  Out IP 172.30.134.100.44624 > 183.2.172.42.80: Flags [S], seq 644712093, win 64240, options [mss 1460,sackOK,TS val 1754664379 ecr 0,nop,wscale 6], length 0
14:20:39.035404 eth0  In  IP 183.2.172.42.80 > 172.30.134.100.44624: Flags [S.], seq 1627112309, ack 644712094, win 8192, options [mss 1452,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,wscale 5], length 0
14:20:39.035470 eth0  Out IP 172.30.134.100.44624 > 183.2.172.42.80: Flags [.], ack 1, win 1004, length 0
14:20:39.035545 eth0  Out IP 172.30.134.100.44624 > 183.2.172.42.80: Flags [P.], seq 1:77, ack 1, win 1004, length 76: HTTP: GET / HTTP/1.1
14:20:39.046885 eth0  In  IP 183.2.172.42.80 > 172.30.134.100.44624: Flags [.], ack 77, win 2452, length 0
14:20:39.047740 eth0  In  IP 183.2.172.42.80 > 172.30.134.100.44624: Flags [P.], seq 1:2782, ack 77, win 2452, length 2781: HTTP: HTTP/1.1 200 OK
14:20:39.047784 eth0  Out IP 172.30.134.100.44624 > 183.2.172.42.80: Flags [.], ack 2782, win 1089, length 0
14:20:39.047977 eth0  Out IP 172.30.134.100.44624 > 183.2.172.42.80: Flags [F.], seq 77, ack 2782, win 1089, length 0
14:20:39.052124 eth0  In  IP 183.2.172.42.80 > 172.30.134.100.44624: Flags [P.], seq 1453:2782, ack 77, win 2452, length 1329: HTTP
14:20:39.052183 eth0  Out IP 172.30.134.100.44624 > 183.2.172.42.80: Flags [.], ack 2782, win 1089, options [nop,nop,sack 1 {1453:2782}], length 0

优化一下上面的，通过负载方式修改源IP。

table inet filter {
	chain POSTROUTING { 
		# 默认允许通过
		type nat hook postrouting priority 100; policy accept; 
		#  按顺序生成 0，1 映射 源地址
		ip daddr 183.2.172.0/24 snat to numgen inc mod 2 map {
    		0 : 172.30.132.100,
			1 : 172.30.134.100
		}
	}  	
}

随机生成 0，1 映射源地址。

table inet filter {
	chain POSTROUTING { 
		# 默认允许通过
		type nat hook postrouting priority 100; policy accept; 
		#  随机生成 0，1 映射 源地址
		ip daddr 183.2.172.0/24 snat to numgen random mod 2 map {
    		0 : 172.30.132.100,
			1 : 172.30.134.100
		}
	}  	
}

通过负载的方式可以实现百万并发的访问。

Tags：ubuntu20换源