What is NAT ?
NAT, refers to Network Address Translations, also known as network masquerading, native address translation or IP masquerading, is a method to translate/change the source or destination IP address when traffic passing through. It may also used for the TCP and UDP port of the passing IP packet.
Most of the time it is used to provide Internet access to a multiple LAN hosts by using a single Public IP.
What you must know ?
MASQUERADING
Masquerading is to translate all IP to a single IP and it is done with NAT. It is to fake the outgoing packet. The incoming packet should be translated too.
Masquerading works based on the specified interface.
Source NAT ( SNAT )
SNAT is when you alter the source address of the first packet: i.e. you are changing where the connection is coming from. Source NAT is always done post-routing, just before the packet goes out onto the wire. Masquerading is a specialized form of SNAT.
For dynamic Public IP case, whenever the source IP is changed, the source port numbers may changed too. Therefore, it is more easier to do SNAT on all outgoing packets on this interface. Also bear in mind, it would implicit DNAT as well and somehow.
Destination NAT ( DNAT )
DNAT is when you alter the destination address of the first packet: i.e. you are changing where the connection is going to. Destination NAT is always done before routing, when the packet first comes off the wire. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.
What is important ?
The most important option here is the table selection option, `-t'. For all NAT operations, you will want to use `-t nat' for the NAT table.
You may need to specify the source ( `-s' or `--source' ) and destination ( `-d' or `--destination' ) of the packets you want to NAT. These options can be followed by a single IP address ( e.g. 192.168.1.1 ), a domain name ( e.g. www.justk2.com ), or a network address ( e.g. 192.168.1.0/24 or 192.168.1.0/255.255.255.0 ).
Lastly, you also need to specify the incoming ( `-i' ) or outgoing ( `-o' ) interface to match, but which you can specify depends on which chain you are putting the rule into: at PREROUTING you can only select incoming interface, and at POSTROUTING you can only select outgoing interface.
**If you use the wrong one, iptables will give an error.
Chains in NAT table
There are three (3) different chains in NAT table, which are PREROUTING, POSTROUTING and OUTPUT.
PREROUTING Chain
It is for Destination NAT, as packets first come in.
Destination NAT is specified using " -j DNAT ", and the " --to-destination " option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).
Case 1 :
To DNAT all incoming packet at 203.158.26.29 at eth2 to the single LAN station 192.168.10.22.
# /sbin/iptables -t nat -A PREROUTING -i eth2 -d 192.168.10.22 -j DNAT --to 203.158.26.29
Case 2 :
To DNAT the incoming port 8080 at 203.158.26.29 at eth2 to the DMZ station 192.168.10.188 web server ( port 80 )
# /sbin/iptables -t nat -A PREROUTING -i eth2 -d 192.168.10.188 -j DNAT --to 203.158.26.29:8080
** This is known as Port forwarding.
POSTROUTING Chain
It is for Source NAT, as packets leave.
Source NAT is using " -j SNAT " and " --to-source " option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).
Case 1 :
To NAT the LAN station ( 192.168.92.62 ) from eth0 to a static public IP or WAN IP ( 203.158.26.29 ) at eth2
# /sbin/iptables -t nat -A POSTROUTING -o eth2 -s 192.168.92.62 -j SNAT --to 203.158.26.29
Case 2 :
To NAT the entire LAN network ( 10.10.10.0/24 ) from eth1 to a range of WAN IP ( 203.158.26.29 ~ 203.158.26.32 ) at eth2
# /sbin/iptables -t nat -A POSTROUTING -o eth2 -s 10.10.10.0/24 -j SNAT --to 203.158.26.29-203.158.29.32
Case 3 :
To NAT the LAN network to a dynamic WAN IP i.e. PPP connection.
# /sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
OUTPUT Chain
It is for the firewall or router itself.
FOUR steps to makes your NAT works
Forward the traffic
If you are using the Linux kernel more than 2.6, the following commands should works.
Firstly, you should allow the traffic to forward ( passing ) through your firewall/router. By default, the value is 0 which is disabled.
# echo 1 > /etc/sys/net/ipv4/ip_forward
In some cases, you may need to edit /etc/sysctl.conf and change the line that says net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1. This essentially tells your kernel to do step one on boot.
** Also remember to accept the traffic passing in your forward chains ( more info as my earlier post )
# /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Post-route the traffic
# /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
No comments:
Post a Comment