How to configure destination NAT using iptables

Source: Internet
Author: User
Destination NAT changes the destination IP address of the data packet. when a data packet from the Internet accesses the public IP address of the network interface of the NAT server, the NAT server converts the destination address of these packets to an appropriate intranet IP address and then routes it to the intranet computer. In this way, servers using intranet IP addresses can also provide network services for computers on the Internet. Destination NAT changes the destination IP address of the data packet. when a data packet from the Internet accesses the public IP address of the network interface of the NAT server, the NAT server converts the destination address of these packets to an appropriate intranet IP address and then routes it to the intranet computer. In this way, servers using intranet IP addresses can also provide network services for computers on the Internet.
As shown in-11, common clients located in the subnet 10.10.1.0/24 use Source NAT to access the Internet. The subnet 10.10.2.0/24 is the server network segment. the computers in the subnet run various network services. they must not only provide services for the intranet, but also provide services for computers on the Internet. However, because the intranet address is used, you need to configure the destination NAT on the NAT server so that packets from the Internet can reach the server network segment smoothly.
 
-11 network structure of the example used for destination NAT configuration

Assume that a computer whose IP address is 10.10.2.3 needs to provide network services for the Internet, you can specify a public IP address to establish a ing relationship with 10.10.2.3. If the public IP address used is 218.75.26.34, the command for configuring the destination NAT is as follows :# Iptables-T nat-a prerouting-I eth0-d 218.75.26.34/32-j DNAT -- to 10.10.2.3

The preceding command adds rules to the PREROUTING chain. this chain is located in front of the routing module. Therefore, the destination IP address of the data packet is changed before the routing, which will affect the routing result. Because the network interface eth0 is connected to the Internet, "-I eth0" ensures that the packets are from the Internet. "-D218.75.26.34/32" indicates that the data packet destination is on the 218.75.26.34 host, and this IP address should be the address of a sub-interface of eth0, so that the NAT server can receive data packets. otherwise, data packets will be discarded because they are not received.
"-J DNAT" specifies that the target action is DNAT, which indicates that the destination IP address of the data packet needs to be modified. its sub-option "-- to10.10.2.3" indicates that the modified IP address is 10.10.2.3. After the destination IP address is modified, the routing module routes the data packets to the 10.10.2.3 server.
The above is to allow a public IP to be fully mapped to an IP address on the intranet. in this case, the host 10.10.2.3 is directly located on the Internet and there is no difference in using the 218.75.26.34 address. Therefore, although this method achieves the purpose of address translation, it does not actually bring much benefit, because the main purpose of using NAT is to share public IP addresses to save the increasingly tight IP address resources. To achieve the purpose of sharing IP addresses, you can use port ING.

Port ing maps a port of a public IP address to a port of an intranet IP address. It is very flexible to use. Two mapped ports have different port numbers, and different ports of the same public IP can be mapped to different intranet IP addresses.
For example, if the host 10.10.2.3 only provides Web services for the Internet, you only need to open port 80, and the host 10.10.2.9 provides FTP services for the Internet, so port 21 must be opened. In this case, port 80 and port 21 of the public IP address 218.75.26.34 can be mapped to port 80 and port 21 of 10.10.2.3 and 10.10.2.9, respectively, so that the two intranet servers can share a public IP address. The command is as follows.

# Iptables-t nat-a prerouting-I eth0-d 218.75.26.34/32-p tcp -- dport 80-j DNAT -- to 10.10.2.3: 80
# Iptables-t nat-a prerouting-I eth0-d 218.75.26.34/32-p tcp -- dport 21-j DNAT -- to 10.10.2.9: 21

In the preceding command, the destination address is a TCP packet of 218.75.26.34. When the destination port is 80, it is forwarded to port 80 of the 10.10.2.3 host. when the destination port is 21, it is forwarded to port 21 of the 10.10.2.9 host. Of course, the two mapped ports can be completely different. For example, if a host 10.10.2.8 also provides Web services through Port 80 and the mapped IP address is 218.75.26.34, you need to map another port of 218.75.26.34, such as 8080 to port 80 of 10.10.2.8, the command is as follows:
# Iptables-t nat-a prerouting-I eth0-d 218.75.26.34/32-p tcp -- dport 8080-j DNAT -- to 10.10.2.8: 80

Note: the above section only describes the DNAT configuration in iptables. in actual application, it takes some other configurations to work together to make the configuration really successful. For example, the three links in the filter table should allow corresponding data packets to pass through, and the eth0 interface sub-interface should be created for each Internet IP address.
In addition, for the FTP service, because Port 21 is only used to establish a control connection, other ports must be used for data transmission. In the passive mode, the port number that the client initiates a connection to the FTP server is random. Therefore, you cannot open a fixed port to meet the requirements.

To solve this problem, you can load the following two modules in Linux:
Modprobe ip_conntrack_ftp
Modprobe ip_nat_ftp
The two modules can monitor the FTP control flow so that you can know the port used for the FTP data connection to be established in advance, so that the corresponding packets can pass through, even if the firewall does not open this port.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.