|
|
发表于 2004-6-9 18:51:54
|
显示全部楼层
我知道啦。但给state New了呀。
下面是摘录的一部分
/usr/share/doc/iptables/html/NAT-HOWTO.html
7. Special Protocols
Some protocols do not like being NAT'ed. For each of these protocols, two extensions must be written; one for the connection tracking of the protocol, and one for the actual NAT.
Inside the netfilter distribution, there are currently modules for ftp: ip_conntrack_ftp.o and ip_nat_ftp.o. If you insmod these into your kernel (or you compile them in permanently), then doing any kind of NAT on ftp connections should work. If you don't, then you can only use passive ftp, and even that might not work reliably if you're doing more than simple Source NAT.
8. Caveats on NAT
If you are doing NAT on a connection, all packets passing both ways (in and out of the network) must pass through the NAT'ed box, otherwise it won't work reliably. In particular, the connection tracking code reassembles fragments, which means that not only will connection tracking not be reliable, but your packets may not get through at all, as fragments will be withheld. |
|
IP卡
狗仔卡
显身卡