Linux 2.4 Nat how-

Linux 2.4 Nat howto Simplified Chinese version
Rusty Russell, mailing list netfilter@lists.samba.org
$ Revision: 1.3 $ Date: 2002/06/05 13:21:56 $
Simplified Chinese: Foreign ghost netsnake
Thanks to the traditional Chinese netmanforever@yahoo.com
This document describes how to perform camouflage, transparent proxy, port forwarding, and other types of network address translation (Network

Address translations ).
1. Introduction
2. Official Site and list
2.1 What Is Nat?
2.2 why do I need Nat?
3. Two types of NAT
4. Fast conversion from 2.0 and 2.2 kernels
4.1 I just want to pretend! Help!
4.2 about ipmasqadm
5. What can Nat control?
5.1 use iptables for simple selection
5.2 Key points about which packages should be selected for splitting
6. Let's talk about how to split the package.
6.1 source address Nat
6.1.1 disguise
6.2 Destination Address Nat
6.2.1 redirection
6.3 deep-level ing
6.3.1 multi-address selection within a range
6.3.2 create an empty Nat ing
6.3.3 standard NAT behavior
6.3.4 internal source port ing
6.3.5 what if Nat fails?
6.3.6 multiple mappings, overlaps and conflicts
6.3.7 modify the destination address of the locally generated connection
7. Specific protocols
8. Nat warning
9. Source Address Nat and Route Selection
10. Nat of the target address in the same network
11. Thanks
1. Introduction
Welcome, dear reader.
You will go deep into the fascinating (sometimes annoying) Nat world: network address translation. This howto can be your linux2.4 kernel and later

.
In linux2.4 (kernel version), a section called "netfilter" is introduced for splitting (mangling) packets. He goes on

The layer provides Nat, which relies entirely on the previous kernel.
(Note: mangle cannot find any suitable translation. Sorry)
(C) 2000 Paul 'ruster' Russell. licensed under the gnu gpl.

--------------------------------------------------------------------------------
 
2. Official Site and list location
There are three official sites:
O thanks to filewatcher http://netfilter.filewatcher.org.
O thanks to the Samba team and SGI http://netfilter.samba.org.
So thanks to Harald welte http://netfilter.gnumonks.org.
You can access all related sites through the following sites.
Http://www.netfilter.org and http://www.iptables.org
The following is the netfilter official email list
Http://www.netfilter.org/contact.html#list.

--------------------------------------------------------------------------------
 
2. 1. What is network address translation )?
In general, the (IP) package in the network starts from their source (Address) (such as your computer) to their destination (such

Www.gnumonks.org) will go through many different connections (LINKS): for example, I have 19 in Australia. These connections won't actually modify you

Package: they only pass out as they are.
Note: The links here should be considered as all network nodes, including hosts and routers. Generally, a router does not send a packet as is. It must at least

Will modify one of them: TTL)
If one of these connections performs Nat, it will modify the source or target (address) of their packages ). As you guessed

Instead of being designed like that, Nat does something. Nat connections (host, server, and router) usually remember how they are split.

Package, and when the other end of the response package passes, it will split the response package on the contrary, so the world is still running.
(Translator's note: mangle in this section should be considered more suitable for modification)

--------------------------------------------------------------------------------
 
2. Why do I need Nat?
In a perfect world, you don't need it. At the same time, the main reason is:
Connect to the Internet using a modem
When you dial up the Internet, most ISPs only give you an IP address. You can send any source address package you want to send, but only response (ISP

The package of the address is returned. In this case, if you want to access the Internet from multiple machines (such as a home network), you need Nat.
This is the most widely used feature of NAT. In the Linux World, "masquerading" (disguise) is very famous. I call it SNAT (SNAT is the source Nat

, Source address conversion), because you changed the source address of the first package.
(For details about the first packet of IP datagram, see the TCP/IP books)
Multiple (heavy) servers
Sometimes you want to change the destination address (route) of the package into the network ). This is often because (like in the above example), you only have one IP address,

But you want everyone to go to the "real" ip address. If you overwrite the target address of the package, it will be okay.

In earlier Linux versions, such Nat is called port forwarding.
A common variant is Server Load balancer, which performs ing on a group of machines. If you want to strictly limit the proportion, you may need to refer to Linux virtual

Server. Http://linuxvirtualserver.org
Transparent proxy
Sometimes you may want to pass your linux package to a local program. This requires transparent Proxy: the proxy is located on your network and outside.

A program between the world to help them communicate. The reason for this is that your network does not know that he is talking to the proxy. Of course

It does not work properly.
Squid can be configured to do this, which is called redirection or transparent proxy in previous Linux versions.

--------------------------------------------------------------------------------
 
3. Two types of NAT
I divide NAT into two different types: Source NAT (SNAT) and target NAT (DNAT ). (Note: SNAT and DNAT will not be translated below, and source

Nat and destination Nat)
Source NAT refers to modifying the source address of the first package: that is, changing the source of the connection. Source NAT will do

A good post-Routing (Action) is a special form of SNAT.
Destination NAT refers to modifying the destination address of the first package: that is, changing the destination of the connection. Destination Nat always enters

Perform before routing (action) in the future (immediately ). Port forwarding, Server Load balancer, and transparent proxy all belong to DNAT.

--------------------------------------------------------------------------------
 
4. Fast conversion from 2.0 and 2.2 kernels
If you are still busy switching from 2.0 (ipfwadm) to 2.2 (ipchains), sorry. However, this is also a message of joy and sorrow.

.
First, you can easily use ipchains and ipfwadm, just as before. However, you need to install

"Ipchains. O" or "ipfwadm. O" kernel module. They are mutually exclusive (you will be warned) and cannot be used with any other netfilter module.

Integration.
Once a module is loaded, you can use ipchains and ipfwadm as before, but there are still the following differences:
Use ipchains-m-S, or use ipfwadm-m-s to set camouflage timeout is no longer valid. Because the timeout has been transferred to the new Nat architecture

Can do anything.
In the detailed camouflage list, the init_seq, Delta, and previus_delat fields are always zero.
-Z-l of the zeroth and list Counters is no longer valid: the counters cannot be zeroed.
This backward compatible part may not work effectively with most connections: Do not use it in your company Gateway
Developers should also note that:
You can now bind a port between 61000 and 65095, regardless of whether you use disguise. The previous disguised code occupies this part of the port, so it cannot be used.
The unwritten "getsockname", transparent proxy can be used to find the real destination addresses of connections that are no longer working.
The unwritten "bind-to-foreign-address" is also not enabled: this is an idea for a complete transparent proxy.

--------------------------------------------------------------------------------
 
4. 1. I just want to pretend! Help!
This is what most people want. If you use PPP dial-up to access the Internet to dynamically obtain the IP address (if you do not know it, it should be), you may just want to tell you

All packets from the internal network should look the same as the packets on the PPP connection server.
# Load the NAT module (which replaces other modules)
Modprobe iptable_nat
# In the NAT table (-T Nat), add a rule (-a) to the postrouting after the route entry)
# All packets sent from ppp0 (-O ppp0) will be disguised (-J masquerade ).
Iptables-T Nat-A postrouting-O ppp0-J Masquerade
# Enable IP Forwarding
Echo 1>/proc/sys/NET/IPv4/ip_forward
Note that you have not performed any packet filtering at this time: if necessary, see the packet filtering howto.

--------------------------------------------------------------------------------
 
What about ipmasqadm?
This depends entirely on the user, so I am not worried about backward compatibility. You can simply use "iptables-T Nat" for port forwarding. For example,

In linux2.2, you need to do the following:
# In the 2.2 kernel, switch the TCP packet pointing to port 1.2.3.4 8080 to port 80 of 192.168.1.1
Ipmasqadm portfw-a-p TCP-l 1.2.3.4 8080-r 192.168.1.1 80
Now you can:
#2.4 kernel, add a rule to the NAT (-T Nat) Table and point
 
#1.2.3.4 (-D 1.2.3.4) TCP packet (-p tcp) Destination Address (-j dnat) of port 8080 (-- dport 8080)
# Be redirected to port 80 (-- To 192.168.1.1: 80) of 192.168.1.1 ).
Iptables-A prerouting-T nat-p tcp-D 1.2.3.4 -- dport 8080-j dnat -- To 192.168.1.1: 80

--------------------------------------------------------------------------------
 
5. What can Nat control?
You need to create Nat rules to tell the kernel which connections will be changed and how they will be changed. To achieve this, we need to use a lot of useful

Iptables tool, and tells it to use the specified "-T Nat" option to modify the NAT table.
The Nat rule table contains three lists called "Links": each rule checks packets sequentially until there is a match. Two of them are called prerouting (

For Destination Nat, check when the package enters), postrouting (for source Nat, check when the package leaves), and third is output,

This can be ignored.
If I have enough artistic talent, the following figure will describe the above concepts accurately:
 
__________
////
Prerouting --> [routing] -----------------> postrouting ----->
/D-NAT/[Debian]/S-NAT/
| ^
|
|
|
|
|
|
--------> Local process ------
 
For each of the above points, when we view the package of the connection (in), if it is a new connection, we can view the corresponding link in the NAT table to see what needs to be done

What. The result will be used as a response to all packages after the connection.
(Note: the connection here refers to a connection such as an http session, rather than a physical line or node)

--------------------------------------------------------------------------------
 
5. 1. Use iptables for simple selection
Some standard options of iptables are listed below. All the double bars (--) options can be abbreviated. As long as iptables can

It is enough to separate the options. If your kernel supports iptables in the module mode, you need to use the command: insmod ip_tables to load

Ip_tables.o
This is the most important option table selection, "-T ". For all Nat operations, you must use '-T Nat' to specify the NAT table. Next, '-',

Add a new rule to the end of the chain (for example, '-A postrouting' to the postrouting chain), or '-I' insert a rule from the beginning (for example

'-I prerouting ').
You can specify the source (Address) ('-S' or' -- source') and destination ('-d' or' -- destination' of the packet you want to perform Nat'

). The two options can be a single IP address (for example, 192.168.1.1), a name (for example, www.gnumonks.org), or a network address.

(For example, 192.168.1.0/24 or 192.168.1.0/255.255.255.0 [Translator: the two are equivalent, but they indicate different methods]).
You can specify the matching interface to enter or send out. However, whether it can be specified depends on the chain you want to write the rule to: prerouting chain you can only choose to enter

Interface, postrouting you can only choose to send an interface. If an error is returned, iptables returns an error.

--------------------------------------------------------------------------------
 
5. 2. Key points about which packages should be selected for splitting (mangle)
As mentioned above, you can specify the source address and target address. If you ignore the source address option, all source addresses will be matched. Similarly, if you ignore

. All target addresses are matched.
You can also mark a specified protocol ('-p' or' -- Protocol'), such as TCP or UDP. Only packets of this Protocol will be matched. So

The main reason is that when the protocol is specified, additional options can be added: Specify the '-- source-port' source port and' -- destination-port' destination port.

Port options (can be abbreviated to '-sport' and '-dport ').
These options allow you to match only the packages of the specific source port and target port. These do not affect redirection Web requests (TCP port 80 or port 8080 ).

Other packages are very useful.
These options must follow the '-p' option (this may affect the Connection Library that loads the Protocol ). You can use the port number or

The (port) Name of the/etc/serverices file.
All the different choices you can make for a package are listed in the detailed and terrible User Manual (man iptables ). (Translator's note)

: See the Chinese version of iptables man page)

--------------------------------------------------------------------------------
 
6. Let's talk about how to split the package.
Now we know how to select the package we want to split. To fulfill our rules, we need to tell the kernel exactly how we want it to be done.

--------------------------------------------------------------------------------
 
6. 1 source Nat
You want to perform source Nat and change the source address of the connection. This is done in the postrouiing chain at the last moment it will send. This is a heavy

All other things on the Linux machine (routing and packet filtering) will see the unchanged package. It also means '-O' (sending

Port) options are available.
Use '-j snat' to perform source Nat. The '-- to-source' option specifies one or more IP addresses and one or more optional ports.

(Only for UDP and TCP Protocols ).
# Change the source address to 1.2.3.4
# Iptables-T Nat-A postrouting-O eth0-j snat -- To 1.2.3.4
 
# Change the source address to 1.2.3.4, 1.2.3.5, or 1.2.3.6.
# Iptables-T Nat-A postrouting-O eth0-j snat -- To 1.2.3.4-1.2.3.6
 
# Change the source address to 1.2.3.4 and Port 1 to 1023.
# Iptables-T Nat-A postrouting-p tcp-O eth0-j snat -- To 1.2.3.4: 1-1023

--------------------------------------------------------------------------------
 
6. 1. 1. disguise
A special case of source Nat is called disguise. It can only be used when IP addresses are dynamically allocated. For example, standard dialing service (for static IP addresses, use

SNAT ).
You do not need to specify the source address for the IP address disguise. It uses the interface (Address) sent from the package as the source address. But more importantly, if the line

If the link is closed, the connection (lost in any case) will be forgotten, which means that the packet returned after the new IP address is enabled will be a bit problematic (referring to

Package that should be issued before disconnection ).
# Disguise all the items sent by ppp0
# Iptables-T Nat-A postrouting-O ppp0-J Masquerade

--------------------------------------------------------------------------------
 
6. 2 destination Nat
Used for the prerouting chain, when the package just enters. This means that everything on the machine is seen as a "real" destination.

Target address ). It also means that '-I' is available.
Use '-j dnat' to implement destination Nat. The '-- to-destination' option specifies one or more IP addresses.

Optional port number (only for UDP and TCP ).
# Change the target address to 5.6.7.8.
# Iptables-T Nat-A prerouting-I eth0-J DNAT -- To 5.6.7.8
# Change the target address to 5.6.7.8, 5.6.7.9, or 5.6.7.10.
# Iptables-T Nat-A prerouting-I eth0-J DNAT -- To 5.6.7.8-5.6.7.10
# Change the target address of Web transfer to Port 5.6.7.8 and port 8080.
# Iptables-T Nat-A prerouting-p tcp -- dport 80-I eth0-J DNAT -- To 5.6.7.8: 8080

--------------------------------------------------------------------------------
 
6, 2, 1 redirection
A special case of destination Nat is called redirection. It is a simple and convenient form of DNAT on the interface.
# Send the incoming port 80 web to our squid (transparent) proxy
# Iptables-T Nat-A prerouting-I eth1-P TCP -- dport 80-J redirect -- to-port 3128
Note that squid must be configured as a transparent proxy.

--------------------------------------------------------------------------------
 
6. 3 deep ing
There are also some details about Nat that most people may not use.

--------------------------------------------------------------------------------
 
6. 3. 1. Multi-address selection within a range
If the IP address range is specified, the machine selects the IP address that is currently used at least. This achieves the simplest load balancing.

--------------------------------------------------------------------------------
 
Create an empty Nat ing.
You can use the '-J accept' target to allow the connection to pass through without Nat.

--------------------------------------------------------------------------------
 
6. 3. 3. Standard NAT behavior
The default behavior is to make the smallest change to the connection according to the internal constraint rules specified by the user. That is, unless necessary, port re ing is not required.

--------------------------------------------------------------------------------
 
Internal Source Port ing
If another connection overwrites a connection, the source address conversion still occurs even if the connection does not require Nat. Considering IP spoofing, this is not the case

It is common.
1. A Web connection from Port 192.168.1.1 1024 to port www.netscape.com 80 has been established
2. It is disguised as the IP address of the server (1.2.3.4)
3. The IP disguised server tries to establish a web connection from Port www.netscape.com 80 to port 1.2.3.4 1024 (its own external interface IP address)

Address)
4. The Nat code will modify the source address of the second connection to 1025, so that the two (connections) will not conflict.
When this internal source address ing occurs, the port is divided into three levels:
Ports lower than 512
Ports between 512 and 1023
Port over 1024
Internal port ing will never be mapped to other types.

--------------------------------------------------------------------------------
 
6. 3. 5 What if Nat fails?
If you cannot create a separate ing for the connection as requested by the user, the (Package) will be deleted. This applies to connections that cannot be classified as any connection.

Because they are malformed or the host memory overflows.

--------------------------------------------------------------------------------
 
Multi- ing, overlap, and conflict
Your Nat rules can map packages to the same range. Nat code is so smart that it can avoid conflicts between them. Therefore, the two rules set 192.168.1.1 and

It is no problem that the source address ing of 192.168.1.2 is mapped to 1.2.3.4.
In addition, you can map to a real IP address that is already in use, as long as the addresses also pass through this server. So if you are assigned to a network

(1.2.3.0/24), but one internal network uses these addresses, and the other uses the private Address 192.168.1.0/24.

The source address of 192.168.1.0/24 to the 1.2.3.0 network does not need to worry about conflict.
# Iptables-T Nat-A postrouting-s 192.168.1.0/24-O eth1-j snat -- To 1.2.3.0/24
The same logic also applies to the addresses of NAT servers. This is the reason for disguised work (the disguised package and the "real" package from itself)

Share an interface address ).
Even, You can map the same packages to many different targets and they will be shared. For example, if you do not want to map anything to 1.2.3.5, you can

To do this:
# Iptables-T Nat-A postrouting-s 192.168.1.0/24-O eth1-j snat -- To 1.2.3.0-1.2.3.4 -- To 1.2.3.6

-1.2.3.254

--------------------------------------------------------------------------------
 
6. 3. 7. Modify the target address of the locally generated connection
Nat Code allows you to insert DNAT rules to the output chain, but this is not fully supported in 2.4 (available, but new configuration options must be used, some

Code in the test. So unless someone is crazy about writing this part of code, I don't believe it will be implemented soon ).
The current restriction is that you can only modify the target address to the Local Machine (for example, '-j dnat -- To 127.0.0.1'), not to any other machine. Otherwise, you can

Can it be converted correctly.

--------------------------------------------------------------------------------
 
7. Specific protocols
Some protocols do not want to be Nat. Two extensions of these protocols must be specified: one is the connection trace of the Protocol, and the other is the real Nat protocol.
In the released netfilter, there are available FTP modules: ip_conntrack_ftp.o and ip_nat_ftp.o. If you load any module to your

If the kernel (or compiled in) is used, any nat on the FTP connection is feasible. If not, you can only use Passive FTP (Passive FTP

), And if you do some source Nat, it (FTP) may not work reliably.

--------------------------------------------------------------------------------
 
8. Nat warning
If you perform nat on the connection, all packets transmitted in two directions (from the inbound and outbound networks) must pass through the NAT server. Otherwise, the NAT server may not work.

. In particular, the Connection Tracing code restructured the parts, which means that not only the Connection Tracing cannot work reliably, but even all the packages cannot pass, because

Fragments are discarded.

--------------------------------------------------------------------------------
 
9. Source Nat and Routing
If you want to perform SNAT, you must note that all the responses from the SNAT package will be sent to the NAT server. For example, if you map some outgoing packets

If the source address is 1.2.3.4, the external router must know the address of the response packet sent to the NAT server. You can do this:
1. If you perform SNAT (routing and other tasks are normal) on the local address, you do not need to do anything.
2. If you perform SNAT to unused addresses on the local LAN (for example, if you map to 1.2.3.99 and your unused IP addresses in the 1.2.3.0/24 network), your Nat

The server must correctly respond to ARP requests like the address (99. The simplest way is to create an IP alias, for example:
# IP address add 1.2.3.99 Dev eth0
3. If you perform SNAT on a completely different address, you must ensure that the machine to which the SNAT package arrives will return the NAT server. If the NAT server is

The default gateway is ready. Otherwise, you need to publish a route (if the routing protocol is running) or manually add a route to each machine.

--------------------------------------------------------------------------------
 
10. Destination Nat in the same network.
If you want to forward ports to the same network, you need to confirm that all future packets and response packets are forwarded through the NAT server (so that they can be modified ).

Now the NAT code (from 2.4.0-test6) will block the ICMP redirection sent by the NAT packet in the same group, but the server will continue to try directly

Respond to customers. (Does not understand this response)
In the classic case, internal personnel try to access your "public" Web server, and it is actually directed from the public address (1.2.3.4) to the internal machine by DNAT.

(192.168.1.1), for example:
# Iptables-T Nat-A prerouting-D 1.2.3.4-p tcp -- dport 80-j dnat -- To 192.168.1.1
One way is to run an internal DNS server that knows the real (internal) IP address of your public (external) Web server and forwards all its

He requests to the external DNS server. That is to say, your web server can record real internal IP addresses.
Another way is to allow the NAT server to map the source address of the connection to itself and let the server send a response through it. For example, we can do this (false

Set the internal IP address of the NAT server to 192.168.1.250 ):
# Iptables-T Nat-A postrouting-D 192.168.1.1-s 192.168.1.0/24-p tcp -- dport 80-j snat --

192.168.1.250
Because the prerouting rule will run first, for internal Web servers, the packet direction has long been determined. We can determine the source IP address.

--------------------------------------------------------------------------------
 
11. Thanks
Thanks first to watchguard, and David Bonn, who believed in the netfilter idea enough to support me

While I worked on it. And to everyone else who put up with my ranting as I learned about the ugliness

Of NAT, especially those who read my diary.
First of all, I would like to thank you for believing in netfilter ideas and supporting my watchguard and David Bonn during my work. And all the friends who make corrections to Nat,

Especially those who have read my diary.