Iptables Nat principles
Like filter tables, Nat tables also have three default "chains ):
- Prerouting: Target DNAT rule
Redirects external access to other hosts, such as internal servers or DMZ.
Because only the destination IP address of the data packet is checked during routing, the destination prerouting DNAT must be performed before routing;
The system first prerouting DNAT Translation --> then filter (forward) --> the last route.
The target address of the match in routing and filtering (forward) is after the prerouting DNAT.
- Postrouting: Source SNAT rule
The routing rules in the chain will be executed later.
The system starts from --> filter (forward) --> to translate the postrouting SNAT address.
The match source address is before translation.
- Output: defines the destination Nat rule for locally generated packets.
===================================== Intranet access to the internet-j snat ============== ============================
-J SNAT
-J snat: Source Network Address Translation. SNAT is the source IP address of the rewrite package.
SNAT can only be used in the postrouting chain of the NAT table
Only valid in the NAT table, in the postrouting chain.
-J snat -- to-source ipaddr [-ipaddr] [: Port-port]
Ipaddr:
- A single New Source IP Address
- Range of IP addresses
- Or you can add several -- to-source options. A simple round-robin takes place between these adresses.
Port range (only valid if the rule also specifies-p tcp or-p udp)
If no port range is specified, then source ports below 512 will be
Mapped to other ports below 512.
-J Masquerade
The Public Address of the Internet port is dynamically obtained by DHCP (such as ADSL)
Iptables-T Nat-A postrouting-O eth1-s 192.168.1.0/24-J Masquerade
Iptables-T Nat-A postrouting-O ppp0-J Masquerade
Masquerade -- to-ports Port [-port]
Only valid if the rule also specifies-p tcp or-p udp.
The most basic Intranet access SNAT of a fixed public address (Internet interface address)
Iptables-T Nat-A postrouting-s 192.168.0.0/24-O eth0-j snat -- to your eth0 address
Multiple SNAT segments: Multiple SNAT statements.
Iptables-T Nat-A postrouting-s 192.168.100.0/24-O eth0-J Masquerade
Iptables-T Nat-A postrouting-s 192.168.1.0/24-O eth0-J Masquerade
Iptables-T Nat-A postrouting-s 192.168.0.0/24-O eth0-J Masquerade
The non-Internet port address is used for Nat. You must first bind it to the interface, for example, eth0: 1, eth0: 2.
==================================== Access the Intranet through the Internet-j dnat = ======================================
DNAT
Only valid in prerouting
-- To-destination ipaddr [-ipaddr] [: Port-port]
DNAT: Destination Network Address Translation, rewriting the destination IP address of the package
Typical DNAT example
External interface IP Address: 210.83.2.206
Internal interface IP Address: 192.168.1.1
FTP server: IP 192.168.1.3
Web server: IP 192.168.1.4 iptables-T Nat-A prerouting-D 210.83.2.206-p tcp -- dport 21-j dnat -- To 192.168.1.3
Iptables-T Nat-A prerouting-D 210.83.2.206-p tcp -- dport 80-j dnat -- To 192.168.1.4
DNAT static ing
Iptables does not have static map like Cisco
DNAT is used for the load-balance (Cisco rotery) of the internal server)
Iptables-T Nat-A prerouting-D 219.142.217.161-j dnat -- to-destination 192.168.1.24-192.168.1.25
DNAT with port ing (changing the server port)
An example of ing an FTP server from 192.168.100.125: 21 to 216.94.87.37: 2121
Iptables-T Nat-A prerouting-p tcp-D 216.94.87.37 -- dport 2121-j dnat -- to-destination 192.168.100.125: 21 usually the Internet DNAT accesses the Intranet server, the source address of the Intranet Serv er response package goes through another independent SNAT process. Not part of the DNAT static process.
In this way, the network application of p-t-P must have an SNAT suitable for DNAT.
For an application that passes through NAT and is mapped by Nat to change the port number, a separate SNAT must also be used to map the port of the returned packet.
Iptables-T Nat-A postrouting-p tcp-s 192.168.100.125 -- Sport 21-j snat -- to-source 216.94.87.37: 2121 otherwise, the FTP server returns the client 21 to the Internet, and the Internet user sends an FTP request to 2121. If a client from 21 is received, it does not recognize
The above does not seem to have to be necessary. I have done experiments:
/Sbin/iptables-T Nat-A postrouting-s 10.4.0.0/16-o $ wan_int-j snat -- To 124.126.86.small
/Sbin/iptables-T Nat-A prerouting-D 124.126.86.138-p tcp -- dport 2022-j dnat -- to-destination 10.4.3.150: 22
DNAT still needs to do rule, DNAT is just a translation, and accept is still required. (And note that it is forward, not input)
/Sbin/iptables-a forward-I $ wan_int-M state -- state new-P TCP -- dport 9000-J accept
/Sbin/iptables-a forward-I $ wan_int-M state -- state new-P TCP -- dport 9001-J accept
/Sbin/iptables-a forward-I $ wan_int-M state -- state new-P TCP -- dport 22-J accept
########## Nat chain ###############
/Sbin/iptables-T Nat-A postrouting-s 10.4.0.0/16-o $ wan_int-j snat -- To 124.126.86.small
/Sbin/iptables-T Nat-A prerouting-D 124.126.86.138-p tcp -- dport 2022-j dnat -- to-destination 10.4.3.150: 22
/Sbin/iptables-T Nat-A prerouting-D 124.126.86.138-p tcp -- dport 9001-j dnat -- to-destination 10.4.3.150: 9001
/Sbin/iptables-T Nat-A prerouting-D 124.126.86.138-p tcp -- dport 9000-j dnat -- to-destination 10.4.3.150: 9000
DNAT forward rule always has an error. It turns out that: DNAT rule is executed after the prerouting statement, that is, the DNAT rule must match the new interface number translated.
At the beginning, we performed rule based on the original interface before translation, and found that both 9000 and 9001 passed, but 2022 was always unavailable.
/Sbin/iptables-a forward-I $ wan_int-M state -- state new-P TCP -- dport 9000-J accept
/Sbin/iptables-a forward-I $ wan_int-M state -- state new-P TCP -- dport 9001-J accept
/Sbin/iptables-a forward-I $ wan_int-M state -- state new-P TCP -- dport 2022-J accept
########## Nat chain ###############
/Sbin/iptables-T Nat-A postrouting-s 10.4.0.0/16-o $ wan_int-j snat -- To 124.126.86.small
/Sbin/iptables-T Nat-A prerouting-D 124.126.86.138-p tcp -- dport 2022-j dnat -- to-destination 10.4.3.150: 22
/Sbin/iptables-T Nat-A prerouting-D 124.126.86.138-p tcp -- dport 9001-j dnat -- to-destination 10.4.3.150: 9001
/Sbin/iptables-T Nat-A prerouting-D 124.126.86.138-p tcp -- dport 9000-j dnat -- to-destination 10.4.3.150: 900 later found that the original 9000 and 9001 are the translation of port unchanged, only 2022 is the translation from 2022 to 22.
While forward is executed after prerouting execution. At this time, 2022 has been translated into 22, and of course it does not match the rule of 2022.
Correction:
/Sbin/iptables-a forward-I $ wan_int-M state -- state new-P TCP -- dport 9000-J accept
/Sbin/iptables-a forward-I $ wan_int-M state -- state new-P TCP -- dport 9001-J accept
/Sbin/iptables-a forward-I $ wan_int-M state -- state new-P TCP -- dport 22-J accept
============================ Nat troubleshooting ======== ======================================
-I,-O parameter usage in Nat
For a prerouting chain, only-I can be used, usually an Internet port.
Postrouting and output can only use-o, which is usually an Internet Port
Linux iptables usually uses the Internet port address as the NAT Public Address
An error occurred while using the same network segment address of the non-Internet port as the DNAT public address.
The cause of failure is that the non-Internet port address is used for DNAT and must be bound to the interface, for example, eth0: 1, eth0: 2
Continuous Public Address SNAT (you must first bind it to the sub-interface eth0: X)
Iptables-T Nat-A postrouting-s 192.168.1.0-j snat -- to-source 219.142.217.161-219.142.217.166 segment continuous address, this can achieve load balancing. Each stream is assigned an IP address randomly.
There is no such thing as Pat. Reason: No RFC related to pat
Pat is a Cisco concept.
Linux implements the complete Nat and napt (you can replace the port, see rfc3022)
However, the port is not bound to the local protocol stack. Therefore, it is not restricted by the local port resource 65535.
The source port must be greater than 1024
Iptables-T Nat-A postrouting-p tcp, UDP-s 192.168.1.0-j snat -- to-source 219.142.217.161: 1024-32000 the source port of the packet is limited to 1024-32000.
Port conversion restrictions
Iptables-A postrouting-O eth1-s 192.168.1.0/24-J masquerade -- to-ports 1024-30000 only convert source ports lower than 1024 to 30000
Special Handling of "Intranet access to intranet server addresses on the Internet"
O network client 10.4.3.119 initiates an access request to the mapped address 124.126.86.138 (10.4.3.150)
O after the firewall receives this request to 124.126.86.138, it finds a ing to the internal server 10.4.3.150 based on the policy table matching. The firewall forwards the packet to the server 10.4.3.150 through a pure route.
O Server 10.4.3.150 receives the request and finds that the client with the source address 10.4.3.119 has sent a request, and the host is in the same network segment as itself, therefore, the system directly sends the response packet SYN + ACK to the host 10.4.3.119 (without passing through the FW)
O 10.4.3.119 may feel strange after receiving this packet, because it never sends a connection request packet to 10.4.3.150 (only 124.126.86.138), so it will discard the response packet.
Solution: Add a postrouting SNAT to access the Intranet 10.4.3.150.
/Sbin/iptables-T Nat-A postrouting-s 10.4.0.0/16-o $ wan_int-j snat -- To 124.126.86.small
/Sbin/iptables-T Nat-A prerouting-D 124.126.86.138-p tcp -- dport 2022-j dnat -- to-destination 10.4.3.150: 22
/Sbin/iptables-T Nat-A prerouting-D 124.126.86.138-p tcp -- dport 9001-j dnat -- to-destination 10.4.3.150: 9001
/Sbin/iptables-T Nat-A prerouting-D 124.126.86.138-p tcp -- dport 9000-j dnat -- to-destination 10.4.3.150: 900/sbin/iptables-T Nat-A postrouting-D 10.4.3.150-j snat -- To 10.4.0.198
Change the source address of the package sent to the internal server IP address 10.4.3.150 to the network port address 10.4.0.198 of the FW.
In this way, you can access the external address of the internal server from the inside.
In the preceding example, the server is prohibited from accessing its own public address on the Internet.
Iptables-T Nat-A prerouting-D 219.142.217.161-j dnat -- To 192.168.1.24
Iptables-T Nat-A prerouting-D 210.83.2.206-s! 192.168.1.24-p tcp -- dport 21-j dnat -- To 192.168.1.24
-S! Intranet server address DNAT -- to intranet server address
Iptables configuration-Nat address translation