本章习题 11.7. 8.7 参考数据与延伸阅读 12. 第九章、防火墙与 NAT 服务器 12.1. 9.1 认识防火墙 12.2. 9.2 TCP Wrappers 12.3. 9.3 Linux 的封包过滤软件：iptables 12.4. 9.4 单机防火墙的一个实例 12.5. 9.5 NAT 服务器的设定 12.6. 9.6 重点回顾 12.7. 9.7 本章习题 12 既然如此，我们就好好的来探索一下 Linux 的网络世界吧！首先， Linux 到底可以达成哪些网络功能呢？这可就 多着咯！不论是 WWW, Mail, FTP, DNS, 或者是 DHCP, NAT 与 Router 等等，Linux 系统都可以达到，而 且，只要一部 Linux 就能够达到上面所有的功能了！当然，那是在不考虑网络安全与效能的情况下，你可以使用一 部 Linux 主机来达成所有的网络功能。 介绍，这里不再赘言。只是需要注意的是， 若 (1)需要架设网站来上网，建议网络使用桥接模式 (bridge) ，且网络卡类型使用 Intel 的桌面计算机类型即 可。 (2)由于我们未来会教导 NAT 服务器，因此最好有两张网卡，一张使用 bridge 一张使用内网 (intnet) 较佳。 而 (3)磁盘配置建议使用 SATA 类型，且容量请给予 25GB 以上。 (4)内存至少该给予 512MB

availability. By default, this tutorial will create: VPC with 2 public and private subnets Bastion Hosts and NAT Gateways in the Public Subnet Three of each (masters, etcd, and worker nodes) in the Private Subnet following, which will be resolved in upcoming Cilium releases: IPVLAN L2 mode L7 policy enforcement NAT64 IPVLAN with tunneling Note The ipvlan-based datapath in L3 mode requires v4.12 or more recent Linux kernel’s socket is actually connected to the backend address and therefore no additional lower layer NAT is required. Deploy Cilium: kubectl create -f cilium.yaml kubectl -n kube-system get pods -l k8s-app=cilium

availability. By default, this tutorial will create: VPC with 2 public and private subnets Bas�on Hosts and NAT Gateways in the Public Subnet Three of each (masters, etcd, and worker nodes) in the Private Subnet following, which will be resolved in upcoming Cilium releases: IPVLAN L2 mode L7 policy enforcement NAT64 IPVLAN with tunneling Note The ipvlan-based datapath in L3 mode requires v4.12 or more recent containers). This ensures simplicity in architecture, avoids unnecessary network address transla�on (NAT) and provides each individual container with a full range of port numbers to use. The logical consequence

availability. By default, this tutorial will create: VPC with 2 public and private subnets Bastion Hosts and NAT Gateways in the Public Subnet Three of each (masters, etcd, and worker nodes) in the Private Subnet will be resolved in upcoming Cilium releases: IPVLAN L2 mode L7 policy enforcement FQDN Policies NAT64 IPVLAN with tunneling BPF-based masquerading Note The ipvlan-based datapath in L3 mode requires kernel’s socket is actually connected to the backend address and therefore no additional lower layer NAT is required. Verify that it has come up correctly: kubectl -n kube-system get pods -l k8s-app=cilium

translation right in the Linux kernel’s socket layer (e.g. at TCP connect time) such that per-packet NAT operations overhead can be avoided in lower layers. Bandwidth Management Cilium implements bandwidth availability. By default, this tutorial will create: VPC with 2 public and private subnets Bastion Hosts and NAT Gateways in the Public Subnet Three of each (masters, etcd, and worker nodes) in the Private Subnet will be resolved in upcoming Cilium releases: IPVLAN L2 mode L7 policy enforcement FQDN Policies NAT64 IPVLAN with tunneling eBPF-based masquerading Note The ipvlan-based datapath in L3 mode requires

translation right in the Linux kernel’s socket layer (e.g. at TCP connect time) such that per-packet NAT operations overhead can be avoided in lower layers. Bandwidth Management Cilium implements bandwidth availability. By default, this tutorial will create: VPC with 2 public and private subnets Bastion Hosts and NAT Gateways in the Public Subnet Three of each (masters, etcd, and worker nodes) in the Private Subnet will be resolved in upcoming Cilium releases: IPVLAN L2 mode L7 policy enforcement FQDN Policies NAT64 IPVLAN with tunneling eBPF-based masquerading Note The ipvlan-based datapath in L3 mode requires

availability. By default, this tutorial will create: VPC with 2 public and private subnets Bastion Hosts and NAT Gateways in the Public Subnet Three of each (masters, etcd, and worker nodes) in the Private Subnet will be resolved in upcoming Cilium releases: IPVLAN L2 mode L7 policy enforcement FQDN Policies NAT64 IPVLAN with tunneling Note The ipvlan-based datapath in L3 mode requires v4.12 or more recent Linux kernel’s socket is actually connected to the backend address and therefore no additional lower layer NAT is required. Verify that it has come up correctly: kubectl -n kube-system get pods -l k8s-app=cilium

translation right in the Linux kernel’s socket layer (e.g. at TCP connect time) such that per-packet NAT operations overhead can be avoided in lower layers. Bandwidth Management Cilium implements bandwidth added by VPC CNI iptables -t nat -F AWS-SNAT-CHAIN-0 \\ && iptables -t nat -F AWS-SNAT-CHAIN-1 \\ && iptables -t nat -F AWS-CONNMARK-CHAIN-0 \\ && iptables -t nat -F AWS-CONNMARK-CHAIN-1 Some availability. By default, this tutorial will create: VPC with 2 public and private subnets Bastion Hosts and NAT Gateways in the Public Subnet Three of each (masters, etcd, and worker nodes) in the Private Subnet

kernel network stack raw PREROUTING mangle PREROUTING nat PREROUTING tc ingress conntrack filter FORWARD mangle POSTROUING nat POSTROUING tc egress veth XDP的性能上限极高，可能是 TC 的 10 倍左右 raw PREROUTING mangle PREROUTING nat PREROUTING tc ingress conntrack filter FORWARD mangle POSTROUING nat POSTROUING tc egress routing XDP kernel ethernet driver kube-proxy DNAT kube-proxy SNAT worker node nodePort request backend endpoint tc eBPF NAT XDP eBPF NAT DSR 加速南北向 nodePort 访问 传统的 nodePort 转发，伴随着 SNAT的发生。而 Cilium 为 nodePort 提供了 native 和 IPIP

至少所需要的硬件配备是如何吧！假设一台 Linux 主机，他主要的功能是 用来作为 NAT 主机，所谓的 NAT 主机也就是类似『IP 分享器』 的功能，而且用这台 NAT 主机的 PC 数并不多，那你只需要 Pentun-166, 32MB RAM, 及一块不太特殊的显示卡及网络卡也就够了！当然， 硬件的需求与你服务的对象多寡是有相当的相关性的！在这个一般家庭的 NAT 主机的环境下，你所需 要的硬件大致的需求如下： • 不含 X Window 桌上型 Linux 系 统 含 X-Window 中大型 Linux Server 中大型 Linux Server 含 X-Window 用途 家庭用 NAT 主机，或 者是小型企业用来架设 非图形接口的小型主机。 就是您用来学习 Linux ，并且打 算在该计算机上 面玩跟 X- Window 有关的 软件。 中小型企业或者是学校单位 用来作为全校的 卡应该都可以符合这个功能！ 除非你的 Linux 还必须用来 发展图形软件，否则，目前 主流显示卡接口就够了！ ( AGP 界面 ) 硬盘 硬盘空间足够将你所需 要的服务安装完毕即可！ 例如，如果单纯的 NAT 主机，那只要 640 MB 以上的硬盘即可！ 但是如果你还需要其它 的服务功能，例如 FTP, Mail 等等，那就需要大 一点。通常，一般家庭 或者是小型企业的 Linux 主机， 2~4