NAT mechanism of firewall

Nat:network addresses tranlation (network address translation) can be applied either on the server side or on the client. In order to hide the client's IP at the client, the client is prevented from being attacked by the network. On the server side is to protect the servers host on the Internet security.

1. Why use NAT technology?

Because the current broadband network (ADSL) can only be provided to the user's IP of 16, at least 1, and the general enterprise will have many hosts, there will be insufficient IP status. In this case, the use of NAT technology can be thousands of hosts at the same time through a public network IP connection to the Internet.

2.snat,dnat and packet trends.

SNAT: Source Address Translation

DNAT: Destination address translation.

Packet trend: prerouting--"routing Table--" postrouting

Three chains of the 3.NAT mechanism

The NAT mechanism has a total of three chains, prerouting,output,postrouting.

[Email protected] ~]# iptables-t nat-l
Chainprerouting(Policy ACCEPT)
Target Prot opt source destination

Chainpostrouting(Policy ACCEPT)
Target Prot opt source destination
SNAT All-192.168.0.0/24 anywhere to:192.168.5.178

ChainOUTPUT(Policy ACCEPT)
Target Prot opt source destination

Prerouting: At the very front of the NAT mechanism, mainly to modify the destination IP of the packet, mainly perform dnat tasks.

Postrouting: At the very end of the NAT mechanism, the primary is to modify the source IP of the packet as long as the Snat task is performed.

Output: When the native process needs to make the packet out of the machine, the output chain must first match, and if the match is allowed to be issued, the packet will be handed to the postrouting chain for Snat.

the flow of data through the NAT mechanism : When the issuance of the report passed through the Prerouting chain to Dnat operation, and then the packet to the routing table, the routing table to the data packet disassembly analysis, if the packet is passed to the local, the routing table to the data disassembly analysis to determine the success of the match, is passed to the local process for processing, if the routing table after the data packet wake-up analysis is not passed to the local machine, then directly to the postrouting chain to Snat operation, and then outgoing. When the machine needs to send out a packet, the native process passes the packet to the routing table, the routing table is passed to the output chain for matching, and if the match succeeds, it is passed to the postrouting chain for snat operation, and if the match is unsuccessful, the packet is discarded.

4.NAT classification

(1). One-to-many NAT

Objective: To save the use of public network IP, enterprises need only a public IP is sufficient, enterprises use private IP, through the NAT mechanism to convert the private IP to public IP connection to the Internet.

B. Hiding the ip,nat mechanism of the enterprise internal host will convert the private IP to public IP to connect the Internet, the enterprise intranet evade in the NAT, the Internet user can not know the enterprise intranet IP, even if the hacker knows, because the NAT mechanism, also increased the difficulty of hackers attacking the enterprise intranet. \

Building a one-to-many NAT network environment

Prepare the environment: set up two NICs eth0 and eth1 on the NAT host.

Public network IP (eth0): 10.0.1.200

Private IP (eth1): 192.168.0.0/24

Private IP host default gateway: 192.168.0.254

Note: When the enterprise internal host sends the packet to the Internet, that is, the host on the 192.168.0.0/24 network segment wants to access the host on the Internet, the source IP in the request packet must be private IP, so that such packets can be sent to the Internet, It is necessary to change the source IP of the outgoing packets to the public IP on the NAT host through the Snat mechanism on the NAT host, so that the packets of the private network can be sent to the Internet.

Syntax rules for snat on a NAT host:

Iptables-t nat-a postrouting-o eth0-s 192.168.0.0/24-j SNAT--to 10.0.1.200

Syntax parsing:

-T NAT: Select a table and select the NAT mechanism for NetFilter when you want to use the feature

-A postrouting: Select the function that specifies the action to perform as the snat mechanism.

-O eth0: Indicates the flow of the packet, meaning that the packet is passed into the public network from the Eth0 interface after the SNAT mechanism is executed.

-S 192.168.0.0/24: Specifies the source IP, which means that only packets from the 192.168.0.0/24 network segment will conform to the rule

-j SNAT--to 10.0.1.200: If the packet conforms to the above rule, change the source IP of the packet to 10.0.1.200.

Note: When you set the rules for the packets to go out, you do not need to consider the direction that the packets are returned because the system automatically sets the rules for the response packets that correspond to the directions. So you just need to specify one-sided rules.

Issues to be aware of when setting snat or Dnat mechanisms:

A. Interface Name: Interface name can be viewed through the "ifconfig" command, the interface name must correspond to the NIC.

B. Public IP is dynamic: can be set as follows "Iptables-t nat-a postrouting-o eth0-s 192.168.0.0/24-j masouerade".

(2) Many-to-many NAT

Many-to-many NAT is mainly for a one-to-many NAT improvement, when a large enterprise intranet access to the Internet frequently, and all access requests are transferred to an Internet server, it will cause an Internet host frequent access to the Internet, especially the network game host, You cannot accept multiple connections to the same IP at the same time. and the Multi-network NAT is to change the private IP to multiple public IP, can reduce the same public network IP connection on the same Internet host the probability.

Syntax rules: iptables-t nat-a postrouting-o eth0-s192.168.0.0/24-j SNAT--to ip1,ip2 ....

(3) One-to-one NAT

One-to-one NAT mechanism, the NAT host needs at least three network cards, the interface is Eth0,eth1,eth2,eth0 connection public network, ETH1 connection Server Host network, ETH2 Connect enterprise intranet. You will also need to prepare enough public IP addresses to be used for server address translation, respectively.

NAT mechanism of firewall