How to use iptables to implement NAT

Source: Internet
Author: User
This article describes how to use iptables to implement NAT in linux. if you need it, refer to it. This section describes iptables's NAT function. This article only describes how to use iptables to configure NAT in linux. For more information about iptables, see: Configure iptables static firewall iptables protection.

This topic describes how to useIptablesFor more information about how to implement the NAT function, see.

Content of this section:
Iptables NAT

This article only describes how to use iptables to configure NAT in linux. For more information about iptables, see:
Configure iptables static firewall
Iptables firewall configuration example
Detailed description of iptables configuration instances
Iptables instance favorites
Linux iptables getting started
Learn more.

I. Overview
1. what is NAT
In the traditional standard TCP/IP communication process, all routers only act as a man-in-the-middle, that is, storage forwarding. the router does not modify the forwarded packets, more specifically, the vro will not modify the forwarded packets except for replacing the source MAC address with its own MAC address. NAT (NetworkAddressTranslation network address translation) is precisely for some special needs to rewrite the source IP address, destination IP address, source port, destination port. In a network, you can customize the IP address as needed without application. In the network, computers communicate through internal IP addresses. When the internal computer needs to communicate with the external internet, the device with the NAT function (such as a router) converts an internal IP address to a valid IP address (that is, the requested IP address) for communication.

2. why NAT?
Under what circumstances do we need to perform NAT.
Assume that an ISP provides Internet access services in the campus. to facilitate management, the IP addresses assigned by the ISP to the campus users are all pseudo IP addresses, but some users require that their WWW servers be set up to publish information, in this case, we can use NAT to provide such services. We can bind multiple valid IP addresses to the external network card of the firewall, and then forward packets sent to one of the IP addresses to a user's WWW server through NAT technology, then, the response packet of the internal WWW server is disguised as the package sent by the legal IP address.

For example, Internet cafes that use dial-up Internet access, because there is only one valid IP address, some means must be used to allow other machines to access the internet. Generally, the proxy server is used, but the proxy server, in particular, the application layer proxy server can only support limited protocols. if a new service comes out after a while, you can only wait for the proxy server to support the upgraded version of the new application. If NAT is used to solve this problem,
NAT not only achieves high access speeds, but also supports any new services or applications seamlessly.

Redirection: When a packet is received, it is not forwarded, but redirected to an application on the system. The most common application is to use it with squid as a transparent proxy. it caches http traffic and provides seamless access to the Internet.

3. NAT type
In the NAT-HOWTO of linux2.4, the author divides NAT into two types from the perspective of principle, that is, Source NAT (SNAT) and destination NAT (DNAT), as the name suggests, SNAT is to change the source address of the forwarded data packet, and DNAT is to change the destination address of the forwarded data packet.

II. Principles
As we mentioned in the article "using iptales to implement a firewall with excessive packaging considerations", netfilter is a general architecture at the core of Linux and provides a series of "tables" (tables ), each table is composed of several "chains", and each chain can contain one or more rules. The default table is "filter ". However, when using NAT, the table we use is no longer a "filter", but a "nat" table, therefore, we must use the "-tnat" option to explicitly specify this point. Because the default table is "filter", we do not need to explicitly specify "-tfilter" when using the filter function ".

Like the filter table, the nat table also has three default "chains" (chains). These three chains are also rule containers. they are:
PREROUTING: you can define the rules for destination NAT here, because the router only checks the destination IP address of the data packet during routing, so in order to make the data packet can be correctly routed, we must perform destination NAT before routing;

POSTROUTING: you can define the Source NAT rules here. the system will execute the rules in the chain after determining the route of the data packet.
OUTPUT: defines the destination NAT rule for locally generated packets.

III. operation syntax

As mentioned above, when using the iptables NAT function, we must use the "-tnat" display in each rule to use the nat table. Use the following options:
1. operations on rules
Add (append) A new rule to the end of A chain (-.
Insert a new rule (-I) at a location in the chain, usually at the beginning.
Replace a rule (-R) at a certain position in the chain ).
Delete a rule (-D) at a location in the chain ).
Delete the first rule (-D) in the chain ).

2. specify the source address and destination address
Use -- source/-- src/-s to specify the source address (here/represents or means, the same below), and use -- destination/-- dst/-s to specify the destination address. You can use the following four methods to specify an IP address:
A. Use a complete domain name, such as "www.linuxaid.com.cn ";
B. use an IP address, such as "192.168.1.1 ";
C. use x. x/x. x to specify a network address, such as "192.168.1.0/255.255.255.0 ";
D. use x. x. x. x/x specifies a network address. for example, "192.168.1.0/24" indicates the number of valid digits of the subnet mask, which is usually used in UNIX environments.
The default subnet mask number is 32, that is, specifying 192.168.1.1 is equivalent to 192.168.1.1/32.

3. specify network interfaces
You can use -- in-interface/-I or -- out-interface/-o to specify network interfaces. From the principle of NAT, we can see that for the PREROUTING chain, we can only use-I to specify the incoming network interface; for POSTROUTING and OUTPUT, we can only use the network interface specified by-o.

4. specify the protocol and port
You can use the -- protocol/-p option to specify the protocol. for udp and tcp protocols, you can also specify the port using -- source-port/-- sport and -- destination-port/-- dport.

4. preparations
1. Compile the kernel and select the following options during compilation. for details, refer to the article "iptales package excessive firewall configuration instance:
 

Full NAT
MASQUERADE target support
REDIRECT target support

2. to use a NAT table, you must first load the relevant modules:
 

Modprobe ip_tables
Modprobe ip_nat_ftp

The iptable_nat module is automatically loaded at runtime.

V. use instances
1. Source NAT (SNAT)
For example, change the source IP address of all data packets from 192.168.1.0/24 to 1.2.3.4:
Iptables-t nat-a postrouting-s 192.168.1.0/24-o eth0-j SNAT -- to 1.2.3.4
It should be noted that the system does not perform SNAT until the packets are sent out during routing and overconsideration.
There is a special case of SNAT which ip spoofing is called Masquerading. we recommend that you use it when using dial-up Internet access, or use it when the valid ip address is not fixed. For example
# Iptables-t nat-a postrouting-o ppp0-j MASQUERADE
We can see that there is no need to explicitly specify the source IP address and other information at this time.

2. destination SNAT (DNAT)
For example, change the destination IP address of all data packets from 192.168.1.0/24 to 1.2.3.4:
Iptables-t nat-a prerouting-s 192.168.1.0/24-I eth1-j DNAT -- to 1.2.3.4
Note that the system performs DNAT before routing and excessive consideration.

There is a special situation of DNAT, that is, the so-called Redirection, which is equivalent to changing the destination IP address of the qualified data packet to the IP address of the network interface when the data packet enters the system.
It is usually used to form a transparent proxy with the squid Configuration. if the squid listening port is 3128, you can use the following statement to import data from 192.168.1.0/24, the packet destined for port 80 is redirected to the squid listener.
Port:
 

Sample code:

Iptables-t nat-a prerouting-I eth1-p tcp-s 192.168.1.0/24 -- dport 80
-J REDIRECT -- to-port 3128

6. Comprehensive examples
1. use dialing to drive LAN Access
Small enterprises and Internet cafes use dial-up networks to access the Internet. Usually, proxies are used. However, considering costs and protocol support, we recommend that you use ip spoofing to enable Internet access in the area network.
After the kernel is successfully upgraded, install iptables and execute the following script:
 

Sample code:

# Load related modules
Modprobe ip_tables
Modprobe ip_nat_ftp
# Mask ip addresses
Iptables-t nat-a postrouting-o ppp0-j MASQUERADE

2. ip ing
Assume that an ISP provides Internet access to the campus. to facilitate management, the IP addresses assigned by the ISP to the campus users are all pseudo IP addresses, but some users require that their WWW servers be set up to publish information. We can bind multiple valid ip addresses to the external network card of the firewall, and then forward the packets sent to one of the ip addresses to the internal WWW server of a user through ip ING, then, the response packet of the internal WWW server is disguised as the package sent by the legal IP address.

Assume the following scenarios:
The ip address assigned by this ISP to A www server is:
Pseudo ip: 192.168.1.100
Real ip: 202.110.123.100

The ip address assigned by this ISP to B's www server is:
Pseudo ip: 192.168.1.200
Real ip: 202.110.123.200

The IP addresses of the linux firewall are:
Intranet interface eth1: 192.168.1.1
Internet interface eth0: 202.110.123.1

Then, bind the real ip addresses allocated to units A and B to the firewall's internet interface and run the following command as root:
 

Sample code:

Ifconfig eth0 add 202.110.123.100 netmask 255.255.255.0
Ifconfig eth0 add 202.110.123.200 netmask 255.255.255.0

After the kernel is successfully upgraded, install iptables and execute the following script:
 

Sample code:

# Load related modules
Modprobe ip_tables
Modprobe ip_nat_ftp

First, perform the destination NAT (DNAT) on all packets received by the firewall with the destination ip address 202.110.123.100 and 202.110.123.200 ):
 

Sample code:

Iptables-a prerouting-I eth0-d 202.110.123.100-j DNAT -- to192.168.1.100
Iptables-a prerouting-I eth0-d 202.110.123.200-j DNAT -- to192.168.1.200

Next, perform Source NAT (SNAT) on the packets received by the firewall with the source IP addresses 192.168.1.100 and 192.168.1.200 ):
 

Sample code:

Iptables-a postrouting-o eth0-s 192.168.1.100-j SNAT -- to202.110.123.100
Iptables-a postrouting-o eth0-s 192.168.1.200-j SNAT -- to202.110.123.200

In this way, all data packets whose destination ip addresses are 202.110.123.100 and 202.110.123.200 will be forwarded to 192.168.1.100 and 192.168.1.200 respectively;
All data packets from 192.168.1.100 and 192.168.1.200 will be disguised as ip ing from 202.110.123.100 and 202.110.123.200 respectively.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.