这篇文章上次修改于 1135 天前,可能其部分内容已经发生变化,如有疑问可询问作者。 ##Q: I want to simply forward the RTP packet received from one IP:Port pair to another IP:Port pair. I have already done it with iptables. iptables use conntrack module. But there is no need of conntrack in my application. So I want to do it with stateless NAT. I have found that statless NAT rules can be executed with "ip route add nat" command e.g ``` ip route add nat 205.254.211.17 via 192.168.100.17 ``` This command tells the kernel to perform network address translation on any packet bound for 205.254.211.17. The parameter via tells the NAT code to rewrite the packet bound for 205.254.211.17 with the new destination address 192.168.100.17. As I understand, the problem is this will forward all packets bound for 205.254.211.17 to 192.168.100.17. Is there any option to forward RTP packets received on specific port of 205.254.211.17 to another IP:Port? <!--more--> ##A: By [mangling packet header fields](https://wiki.nftables.org/wiki-nftables/index.php/Mangle_packet_header_fields) with [nftables](https://wiki.nftables.org/wiki-nftables/index.php/What_is_nftables%3F) it's possible, without even using `ip route add nat` which, as a simple router functionality, is limited to layer 3 (IP), not layer 4 (TCP, UDP, ...). WARNING: requires nftables >= 0.6 (>= 0.7 here if using notrack) and kernel >= 4.10. Tested here with nftables 0.8.3 and kernel 4.15.x. It's quite compact, because nftables can combine multiple targets (3 targets here): ``` # nft add table raw # nft 'add chain raw prerouting {type filter hook prerouting priority -300;}' # nft add rule raw prerouting ip daddr 205.254.211.17 udp dport 5004 notrack ip daddr set 192.168.100.17 udp dport set 5006 ``` Quotes on the 2nd line to avoid shell interpretation. If doing tests, the fastest way to remove all of nft is [`nft flush ruleset`](https://wiki.nftables.org/wiki-nftables/index.php/Operations_at_ruleset_level#flushing). So just reading it aloud, the rule tells to select only an IP packet with destination 205.254.211.17, being UDP with destination port 5004, then [tags it as non trackable](https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_connection_tracking_metainformation#notrack) (by conntrack, if it's loaded), sets its destination IP to 192.168.100.17 and sets its destination port to 5006. You can mix `nftables` with `iptables` rules without much problem as long as you don't use `nat` tables on both at the same time (fine, you don't want to use that anyway). Being able to state the explicit [chain priority](https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority) even allows to choose if nftables hooks will run before or after corresponding iptables hooks, eg here by choosing -301 or -299 to be certain to run before or after iptables' `raw` table if there was such need. ref: https://unix.stackexchange.com/questions/429077/how-to-do-nat-based-on-port-number-in-stateless-nat
没有评论