1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
table ip nftlb {
map filter-proto-services {
type inet_proto . ipv4_addr . inet_service : verdict
elements = { tcp . 10.20.10.50 . 25 : goto filter-Ex-SMTP }
}
map nat-proto-services {
type inet_proto . ipv4_addr . inet_service : verdict
elements = { tcp . 10.20.10.50 . 25 : goto nat-Ex-SMTP }
}
map services-back-m {
type mark : ipv4_addr
elements = { 0x00000200 : 10.20.10.50, 0x00000201 : 10.20.10.50 }
}
chain filter {
type filter hook prerouting priority mangle; policy accept;
meta mark 0x00000000 meta mark set ct mark
ip protocol . ip daddr . th dport vmap @filter-proto-services
}
chain filter-Ex-SMTP {
ct state new ct mark 0x00000000 ct mark set numgen random mod 10 map { 0-4 : 0x00000200, 5-9 : 0x00000201 }
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ct state new meta mark 0x00000000 meta mark set ct mark
ip protocol . ip daddr . th dport vmap @nat-proto-services
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ct mark 0x00000000 ct mark set meta mark
ct mark 0x80000000/1 masquerade
snat to ct mark map @services-back-m
}
chain nat-Ex-SMTP {
log prefix "IN-Ex-SMTP "
ip protocol tcp dnat ip to ct mark map { 0x00000200 : 10.20.10.25 . 25, 0x00000201 : 10.20.10.26 . 25 }
}
}
|
