Iptables implements network firewalls: SNAT, DNAT, and iptablessnat

Iptables implements network firewalls: SNAT, DNAT, and iptablessnat
Iptables network firewall (2)-Introduction to SNAT and DNAT

?? In the previous article, we briefly introduced the basic concepts of the firewall in the LINUX kernel, as well as the four-table-five-chain knowledge. For more information, see Introduction to the LINUX firewall. It also introduces how to set up a simple network firewall that can filter protocols and ports in a Linux environment. For more information, see Linux network firewall (I ).
?? In practical production applications, firewall functions are complex, just like the four-table-five-chain we introduced earlier and the flow of data packets, which play a key role in practical applications. SNAT and DNAT are several important applications in building firewall rules. Among them, DNAT also plays an important role in LVS cluster applications, which will be discussed later.

What are SNAT and DNAT?

?? NAT (Network Address Translation) is also called Network Address Translation. As the name suggests, it is to convert Network addresses during Network data transmission to achieve Network data transmission. For detailed explanations, refer to (Network Address Translation-Wikipedia ).
?? SNAT (source address translation) and DNAT (destination address translation) are two NAT application methods in the firewall. As we mentioned earlier, there are four tables in the firewall. One table is the nat table, which is used to manage the package address.

SNAT

?? SNAT only converts the source address during network transmission. We all know that during Internet access, the network is transmitted in the form of data packets, and the data package contains the destination address and source address. In this way, this ensures that data can be returned after the request server processes the data. SNAT converts the source and target addresses in the data packet.
?? The number of IPV4 addresses is limited, but a large number of computers around the world can access resources on the Internet. SNAT address conversion is used here.
?? When a LAN is built in a company, users in the LAN need to use SNAT Technology for address translation to access the Internet. At the same time, the source address has changed, it also improves the security of hosts in the LAN.

?? The network topology of SNAT is as follows.Note: The IP addresses mentioned in the figure are the IP addresses in the experiment environment of the author. For more information, see the following experiment. In actual production, the IP addresses should be different.

Environment Description

Assume a role	System Environment	Host Name	Address	Function Description
WEB Server	CentOS 7	Web	172.18.3.77	Provide web Services
Linux Firewall	CentOS 7	Iptables	172.18.2.77 192.168.2.77	Define firewall rules
LAN User	CentOS 6	Lan	192.168.2.66	Access the Internet

?? Source Address conversion occurs only when a host in the LAN requests services on the Internet. It is easy to understand the following data transfer process.

DNAT

?? If we deploy a set of WEB services in the LAN but want to access the Internet, how should we solve this problem. For the company, there may be only one ipv4 address connected to the Internet.
?? In this case, you need to use DNAT, that is, the target address translation. From the network topology below, we can see that hosts on the internet want to access network services within the LAN, firewalls or routes with external network addresses.

Assume a role	System Environment	Host Name	Address	Function Description
Internet users	CentOS 7	Web	172.18.3.77	Access web services in the LAN
Linux Firewall	CentOS 7	Iptables	172.18.2.77 192.168.2.77	Define firewall rules
Lan WEB Service	CentOS 6	Lan	192.168.2.66	Provide web Services

How do I define NAT rules on the firewall?

?? I have introduced many concepts related to SNAT and DNAT. How should I define NAT rules in the firewall?
?? In the previous article, we know that NAT tables can affect four chains: PREROUTING chain, INPUT chain, OUTPUT chain, and POSTROUTING chain. Based on the preceding illustration and our analysis, it can be concluded that the SANT firewall's filtering rules should be defined on the POSTROUTING chain, and the DNAT firewall's filtering and forwarding rules should be defined on the PREROUTING chain, so that network requests can be forwarded.

Experiment implementation SNAT experiment environment

Clear the filter rules of the firewall and disable SELinux.
Enable the firewall's route forwarding function to ensure that users in the LAN can ping Internet services.
Network Testing

Clear firewall filter rules [root @ iptables ~] # Enable the forwarding function of iptables-F [root @ iptables ~] # Echo 1> users in the/proc/sys/net/ipv4/ip_forward lan can ping the Internet [root @ lan ~] $ Ping 172.18.3.77PING 172.18.3.77 (172.18.3.77) 56 (84) bytes of data.64 bytes from 172.18.3.77: icmp_seq = 1 ttl = 63 time = 1.00 ms64 bytes from 172.18.3.77: icmp_seq = 2 ttl = 63 time = 1.52 MS lan users can access the Internet [root @ lan ~] $ Curl http://172.18.3.77www.google.com

Experiment Process

First, convert the SNAT address of the request for the 192.168.2 CIDR block, and change the converted source address to 172.18.2.77.

[Root @ iptables ~] # Iptables-t nat-a postrouting-s 192.168.2.0/24-j SNAT -- to-source 172.18.2.77 # view the nat table firewall rules [root @ iptables ~] # Iptables-vnL-t natChain PREROUTING (policy ACCEPT 1 packets, 229 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 1 packets, 229 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 SNAT all -- ** 192.168.2.0/24 0.0.0.0/0 to: 172.18.2.77

Services accessing the Internet from the LAN can still be accessed normally

[root@lan ~]$curl http://172.18.3.77www.google.com

Check the recent access record on the host on the Internet, and you can see that the most recent access information was accessed by 172.18.2.77, which indicates that a network address is switched.

[root@web ~]#tail -1 /var/log/httpd/access_log172.18.2.77 - - [23/Oct/2017:15:46:35 +0800] "GET / HTTP/1.1" 200 15 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

Summary: SNAT Command Format

iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j SNAT --to-source ExtIP

Lab implementation DNAT lab environment

Clear various filtering rules set in the SNAT experiment.
The Internet host can access the firewall host, but cannot access the network services in the LAN, or access through the firewall's Internet IP address.

# Direct access to Intranet services is not feasible [root @ web ~] # Curl http: // 192.168.2.66curl: (7) Failed to connect to 192.168.2.66: Network is unreachable # access through the firewall's Internet IP address is not allowed [root @ web ~] # Curl http: // 172.18.2.77curl: (7) Failed connect to 172.18.2.77: 80; Connection refused # access to the firewall Address [root @ web ~] # Ping 172.18.2.77PING 172.18.2.77 (172.18.2.77) 56 (84) bytes of data.64 bytes from 172.18.2.77: icmp_seq = 1 ttl = 64 time = 0.857 ms64 bytes from 172.18.2.77: icmp_seq = 2 ttl = 64 time = 0.642 MS

Experiment Process

According to our previous discussions, we should add a policy on the PREROUTING chain of the nat table to forward requests that access the public network address (172.18.2.77) to the Intranet address (192.168.2.66 ).

[Root @ iptables ~] # Iptables-t nat-a prerouting-d 172.18.2.77-p tcp -- dport 80-j DNAT -- to-destination 192.168.2.66: 80 # Check the created rule [root @ iptables ~] # Iptables-vnL-t natChain PREROUTING (policy ACCEPT 7 packets, 1351 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- ** 0.0.0.0/0 172.18.2.77 tcp dpt: 80 to: 192.168.2.66: 80 Chain INPUT (policy ACCEPT 7 packets, 1351 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

In this case, if you access services in the LAN from an Internet host through an Internet IP address, you will be able to see different results.

[root@web ~]#curl http://172.18.2.77LAN SERVER

View the access logs of web servers in the LAN, and you can see a record accessed by an Internet host.

[root@lan ~]$tail -1 /var/log/httpd/access_log 172.18.3.77 - - [25/Sep/2017:07:34:18 +0800] "GET / HTTP/1.1" 200 11 "-" "curl/7.29.0"

So far, the DNAT firewall policy has been configured.

Summarize the DNAT Command Format

iptables -t nat -A PREROUTING -d ExtIP -p tcp|udp --dport PORT -j DNAT --to-destination InterSeverIP[:PORT]

After the above configuration and learning, we have built a simple network firewall. In actual production, you can perform more detailed settings based on your actual situation.