How to Use Iptables to implement powerful NAT functions in Linux

Article Title: How to Use Iptables to implement powerful NAT functions in Linux. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

This article describes how to use iptbales to implement the powerful NAT Function under linux2.4. For more information about the syntax of iptables, see the article "using iptales to implement a firewall with excessive packet forwarding rate. What needs to be affirmed is that this article is definitely not a simple repetition of the NAT-HOWTO or the Chinese version, in the whole narrative process, the author is trying to express his understanding, his own thoughts in his own language.

I. Overview

1. What is NAT

In the traditional standard TCP/IP communication process, all routers only act as a man-in-the-middle, that is, storage forwarding. The Router does not modify the forwarded packets, more specifically, the vro will not modify the forwarded packets except for replacing the source MAC address with its own MAC address. Network Address Translation (NAT) is an operation that modifies the source IP Address, destination IP Address, source port, and destination port of a data packet for special purposes.

2. Why NAT?

Let's see under what circumstances we need to perform NAT.

Assume that an ISP provides Internet access services in the campus. To facilitate management, the IP addresses assigned by the ISP to the campus users are all pseudo IP addresses, but some users require that their WWW servers be set up to publish information, in this case, we can use NAT to provide such services. We can bind multiple valid IP addresses to the external network card of the firewall, and then forward packets sent to one of the IP addresses to a user's WWW server through NAT technology, then, the response packet of the internal WWW server is disguised as the package sent by the legal IP address.

For example, Internet cafes that use dial-up Internet access, because there is only one valid IP address, some means must be used to allow other machines to access the Internet. Generally, the proxy server is used, but the proxy server, in particular, the application layer proxy server can only support limited protocols. If a new service comes out after a while, you can only wait for the proxy server to support the upgraded version of the new application. If NAT is used to solve this problem,

NAT not only achieves high access speeds, but also supports any new services or applications seamlessly.

Another aspect of the application is redirection, that is, when a packet is received, the packet is not forwarded, but redirected to an application on the system. The most common application is to use it with squid as a transparent proxy. It caches http traffic and provides seamless access to the Internet.

3. NAT type

In the NAT-HOWTO of linux2.4, the author divides NAT into two types from the perspective of principle, that is, source NAT (SNAT) and destination NAT (DNAT), as the name suggests, SNAT is to change the source address of the forwarded data packet, and DNAT is to change the destination address of the forwarded data packet.

Ii. Principles

As we mentioned in the article "using iptales to implement a firewall with excessive packaging considerations", netfilter is a general architecture at the core of Linux and provides a series of "tables" (tables ), each table is composed of several "chains", and each chain can contain one or more rules. The default table is "filter ". However, when using NAT, the table we use is no longer a "filter", but a "nat" table, therefore, we must use the "-t nat" option to explicitly specify this. Because the default table is "filter", we do not need to explicitly specify "-t filter" when using the filter function ".

Like the filter table, the nat table also has three default "chains" (chains). These three chains are also rule containers. They are:

PREROUTING: You can define the rules for destination NAT here, because the router only checks the destination IP address of the data packet during routing, so in order to make the data packet can be correctly routed, we must perform destination NAT before routing;

POSTROUTING: You can define the source NAT rules here. The system will execute the rules in the chain after determining the route of the data packet.

OUTPUT: defines the destination NAT rule for locally generated packets.

[1] [2] [3] Next page