This document describes how to perform camouflage, transparent proxy, port forwarding, and NetworkAddressTranslations based on other types of network addresses in the Linux2.4 kernel ). 1. Introduction 2. official site and list 2.1 What Is NAT? 2.2 Why do I need NAT? 3. two types of NAT 4. from 2.0 and 2.2 kernel
This document describes how to perform camouflage, transparent proxy, port forwarding, and Network Address translation based on other types of Linux 2.4 kernel ).
1. Introduction
2. official site and list
2.1 What Is NAT?
2.2 Why do I need NAT?
3. two types of NAT
4. fast conversion from 2.0 and 2.2 kernels
4.1 I just want to pretend! Help!
4.2 about ipmasqadm
5. what can NAT control?
5.1 use iptables for simple selection
5.2 key points about which packages should be selected for splitting
6. let's talk about how to split the package.
6.1 source address NAT
6.1.1 disguise
6.2 destination address NAT
6.2.1 redirection
6.3 deep-level ing
6.3.1 multi-address selection within a range
6.3.2 create an empty NAT ing
6.3.3 standard NAT Behavior
6.3.4 internal source port ing
6.3.5 what if NAT fails?
6.3.6 multiple mappings, overlaps and conflicts
6.3.7 modify the destination address of the locally generated connection
7. specific protocols
8. NAT warning
9. source address NAT and route selection
10. NAT of the target address in the same network
11. thanks
1. Introduction
Welcome, dear reader.
You will go deep into the fascinating (sometimes annoying) NAT world: Network address translation. this HOWTO can be your accurate guide to the Linux2.4 kernel and later.
In Linux2.4 (kernel version), a section called "netfilter" is introduced for splitting (mangling) packets. The previous layer provides NAT, which relies entirely on the previous kernel.
(Note: mangle cannot find any suitable translation. sorry)
(C) 2000 Paul 'rusty Russell. Licensed under the gnu gpl.
--------------------------------------------------------------------------------
2. official site and list location
There are three official sites:
O Thanks to Filewatcher http://netfilter.filewatcher.org.
O Thanks to The Samba Team and SGI http://netfilter.samba.org.
So Thanks to Harald Welte http://netfilter.gnumonks.org.
You can access all related sites through the following sites.
Http://www.netfilter.org and http://www.iptables.org
The following is the netfilter official email list
Http://www.netfilter.org/contact.html#list.
--------------------------------------------------------------------------------
2. 1. what is Network Address Translation )?
Usually, the (IP) package in the network starts from their source (address) (such as your computer) to their destination (such as www.gnumonks.org ), there will be a lot of different connections (links): for example, I have 19 in Australia. These connections won't actually modify your package: they just pass out as they are.
Note: the links here should be considered as all network nodes, including hosts and routers. Generally, the router does not transfer the package as it is. it will modify at least one of them: TTL)
If one of these connections performs NAT, it will modify the source or target (address) of their packages ). As you guessed, this is not what the system has designed, but NAT has done something. Usually, when a NAT connection (host, server, or router) remembers how it splits a packet, and when the packet from the other end passes, it will split the response package in the opposite way, so the world is still running.
(Translator's note: mangle in this section should be considered more suitable for modification)
--------------------------------------------------------------------------------
2. Why do I need NAT?
In a perfect world, you don't need it. At the same time, the main reason is:
Connect to the Internet using a modem
When you dial up the Internet, most ISPs only give you an IP address. you can send any source address package you want to send, but only respond to this (ISP gives you) address package will return. In this case, if you want to access the Internet from multiple machines (such as a home network), you need NAT.
This is the most widely used NAT function. in the Linux world, "masquerading" (disguise) is very famous. I call it SNAT (SNAT is Source NAT, Source address translation ), because you changed the source address of the first package.
(For details about the first packet of IP datagram, see The TCP/IP Books)
Multiple (heavy) servers
Sometimes you want to change the destination address (route) of the package into the network ). This is often because (just like in the above example) you only have one IP address, but you want everyone to access it through the "real" IP address. If you overwrite the target address of the package, it will be okay. In earlier Linux versions, such NAT is called port forwarding.
A common variant is server load balancer, which performs ing on a group of machines. If you want to strictly limit the proportion, you may need to refer to Linux Virtual Server. Http://linuxvirtualserver.org
Transparent Proxy
Sometimes you may want to pass your Linux package to a local program. This requires transparent proxy: the proxy is a program located between your network and the external world to help the two communicate. It is called transparent because your network does not know that he is talking to the proxy. of course, the proxy does not work normally.
Squid can be configured to do this, which is called redirection or transparent proxy in previous Linux versions.
--------------------------------------------------------------------------------
3. two types of NAT
I divide NAT into two different types: Source NAT (SNAT) and target NAT (DNAT ). (Note: SNAT and DNAT will not be translated below, and Source NAT and Destination NAT will be used directly)
Source NAT refers to modifying the Source address of the first package: that is, changing the Source of the connection. Source NAT performs the post-routing (action) at the last moment before the packet is sent out, which is a special form of SNAT.
Destination NAT refers to modifying the Destination address of the first package: that is, changing the Destination of the connection. Destination NAT always performs before routing after the package enters (immediately ). Port forwarding, server load balancer, and transparent proxy all belong to DNAT.
--------------------------------------------------------------------------------
4. fast conversion from 2.0 and 2.2 kernels
If you are still busy switching from 2.0 (ipfwadm) to 2.2 (ipchains), sorry. However, this is also a message about the semi-parameter.
First, you can easily use ipchains and ipfwadm, just as before. However, you need to install the "ipchains. o" or "ipfwadm. o" kernel module in the latest netfilter. They are mutually exclusive (you will be warned) and cannot be combined with any other netfilter module.
Once a module is loaded, you can use ipchains and ipfwadm as before, but there are still the following differences:
Use ipchains-M-S, or use ipfwadm-M-s to set camouflage timeout is no longer valid. Because the timeout has been transferred to the new NAT architecture, this cannot be done.
In the detailed camouflage list, the init_seq, delta, and previus_delat fields are always zero.
-Z-L of the zeroth and list counters is no longer valid: the counters cannot be zeroed.
This backward compatible part may not work effectively with most connections: Do not use it in your company Gateway
Developers should also note that:
You can now bind a port between 61000 and 65095, regardless of whether you use disguise. The previous disguised code occupies this part of the port, so it cannot be used.
The unwritten "getsockname", transparent proxy can be used to find the real destination addresses of connections that are no longer working.
The unwritten "bind-to-foreign-address" is also not enabled: this is an idea for a complete transparent proxy.
--------------------------------------------------------------------------------
4. 1. I just want to pretend! Help!
This is what most people want. If you use PPP dial-up to access the Internet to dynamically obtain the IP address (if you do not know it, it should be), you may just want to tell your machine that all packets from the internal network, it should look the same as the package on the PPP connection server.
# Load the NAT module (which replaces other modules)
Modprobe iptable_nat
# In the NAT table (-t nat), add A rule (-A) to the POSTROUTING after the route entry)
# All packets sent from ppp0 (-o ppp0) will be disguised (-j MASQUERADE ).
Iptables-t nat-a postrouting-o ppp0-j MASQUERADE
# Enable IP forwarding
Echo 1>/proc/sys/net/ipv4/ip_forward
Note that you have not performed any Packet Filtering at this time: if necessary, see the Packet Filtering HOWTO.
--------------------------------------------------------------------------------
What about ipmasqadm?
This depends entirely on the user, so I am not worried about backward compatibility. You can simply use "iptables-t nat" for port forwarding. For example, in Linux2.2, you need:
# In the 2.2 kernel, switch the TCP packet pointing to Port 1.2.3.4 8080 to port 80 of 192.168.1.1
Ipmasqadm portfw-a-P tcp-L 1.2.3.4 8080-R 192.168.1.1 80
Now you can:
#2.4 kernel, add A rule to the NAT (-t nat) table and point
#1.2.3.4 (-d 1.2.3.4) TCP packet (-p tcp) destination address (-j DNAT) of port 8080 (-- dport 8080)
# Be redirected to port 80 (-- to 192.168.1.1: 80) of 192.168.1.1 ).
Iptables-a prerouting-t nat-p tcp-d 1.2.3.4 -- dport 8080-j DNAT -- to 192.168.1.1: 80
--------------------------------------------------------------------------------
5. what can NAT control?
You need to create NAT rules to tell the kernel which connections will be changed and how they will be changed. To do this, we need to use a much-used iptables tool and tell it to use the specified "-t nat" option to modify the NAT table.
The NAT rule table contains three lists called "links": each rule checks packets sequentially until there is a match. Two of them are called PREROUTING (for Destination NAT, check when the package enters), POSTROUTING (for Source NAT, check when the package leaves), and third is OUTPUT, which can be ignored here.
If I have enough artistic talent, the following