Thursday, May 8, 2008

Linux Firewall : iptables - NAT

What is NAT ?

NAT, refers to Network Address Translations, also known as network masquerading, native address translation or IP masquerading, is a method to translate/change the source or destination IP address when traffic passing through. It may also used for the TCP and UDP port  of the passing IP packet.

Most of the time it is used to provide Internet access to a multiple LAN hosts by using a single Public IP.

 

What you must know ?

MASQUERADING

Masquerading is to translate all IP to a single IP and it is done with NAT. It is to fake the outgoing packet. The incoming packet should be translated too.

Masquerading works based on the specified interface.

Source NAT ( SNAT )

SNAT is when you alter the source address of the first packet: i.e. you are changing where the connection is coming from. Source NAT is always done post-routing, just before the packet goes out onto the wire. Masquerading is a specialized form of SNAT.

For dynamic Public IP case, whenever the source IP is changed, the source port numbers may changed too. Therefore, it is more easier to do SNAT on all outgoing packets on this interface. Also bear in mind, it would implicit DNAT as well and somehow.

Destination NAT ( DNAT )

DNAT is when you alter the destination address of the first packet: i.e. you are changing where the connection is going to. Destination NAT is always done before routing, when the packet first comes off the wire. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.

What is important ?

The most important option here is the table selection option, `-t'. For all NAT operations, you will want to use `-t nat' for the NAT table.

You may need to specify the source ( `-s' or `--source' ) and destination ( `-d' or `--destination' ) of the packets you want to NAT. These options can be followed by a single IP address ( e.g. 192.168.1.1 ), a domain name ( e.g. www.justk2.com ), or a network address ( e.g. 192.168.1.0/24 or 192.168.1.0/255.255.255.0 ).

Lastly, you also need to specify the incoming ( `-i'  ) or outgoing ( `-o' ) interface to match, but which you can specify depends on which chain you are putting the rule into: at PREROUTING you can only select incoming interface, and at POSTROUTING you can only select outgoing interface.

**If you use the wrong one, iptables will give an error.

Chains in NAT table

There are three (3) different chains in NAT table, which are PREROUTING, POSTROUTING and OUTPUT.

PREROUTING Chain

It is for Destination NAT, as packets first come in.

Destination NAT is specified using " -j DNAT ", and the " --to-destination " option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).

Case 1 :

To DNAT all incoming packet at 203.158.26.29 at eth2 to the single LAN station 192.168.10.22.

# /sbin/iptables -t nat -A PREROUTING -i eth2 -d 192.168.10.22 -j DNAT --to 203.158.26.29

Case 2 :

To DNAT the incoming port 8080 at 203.158.26.29 at eth2 to the DMZ station 192.168.10.188 web server ( port 80 )

# /sbin/iptables -t nat -A PREROUTING -i eth2 -d 192.168.10.188 -j DNAT --to 203.158.26.29:8080

** This is known as Port forwarding.

POSTROUTING Chain

It is for Source NAT, as packets leave.

Source NAT is using " -j SNAT " and " --to-source " option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).

Case 1 :

To NAT the LAN station ( 192.168.92.62 ) from eth0 to a static public IP or WAN IP ( 203.158.26.29 ) at eth2

# /sbin/iptables -t nat -A POSTROUTING -o eth2 -s 192.168.92.62 -j SNAT --to 203.158.26.29

Case 2 :

To NAT the entire LAN network ( 10.10.10.0/24 ) from eth1 to a range of WAN IP ( 203.158.26.29 ~ 203.158.26.32 ) at eth2

# /sbin/iptables -t nat -A POSTROUTING -o eth2 -s 10.10.10.0/24 -j SNAT --to 203.158.26.29-203.158.29.32

Case 3 :

To NAT the LAN network to a dynamic WAN IP i.e. PPP connection.

# /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

OUTPUT Chain

It is for the firewall or router itself.

 

FOUR steps to makes your NAT works

Forward the traffic

If you are using the Linux kernel more than 2.6, the following commands should works.

Firstly, you should allow the traffic to forward ( passing ) through your firewall/router. By default, the value is 0 which is disabled.

# echo 1 > /etc/sys/net/ipv4/ip_forward

In some cases, you may need to edit /etc/sysctl.conf and change the line that says net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1. This essentially tells your kernel to do step one on boot.

** Also remember to accept the traffic passing in your forward chains ( more info as my earlier post )

# /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Post-route the traffic

# /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

No comments: