Linux Tutorial: How to Use iptables to implement Nat

This article describes how to use iptbales to implement the powerful NAT Function under linux2.4. For more information about the syntax of iptables, see the article "using iptales to implement a firewall with excessive packet forwarding rate. What needs to be affirmed is that this article is definitely not a simple repetition of the NAT-HOWTO or the Chinese version, in the whole narrative process, the author is trying to express his understanding, his own thoughts in his own language.
I. Overview
1. What is Nat
In the traditional standard TCP/IP communication process, all routers only act as a man-in-the-middle, that is, storage forwarding. The Router does not modify the forwarded packets, more specifically, the vro will not modify the forwarded packets except for replacing the source MAC address with its own MAC address. Network Address Translation (NAT) is an operation that modifies the source IP address, destination IP address, source port, and destination port of a data packet for special purposes. In a network, you can customize the IP address as needed without application. In the network, computers communicate through internal IP addresses. When the internal computer needs to communicate with the external internet, the device with the NAT Function (such as a router) converts an internal IP address to a valid IP address (that is, the requested IP address) for communication.
2. Why Nat?
Let's see under what circumstances we need to perform Nat.
Assume that an ISP provides Internet access services in the campus. To facilitate management, the IP addresses assigned by the ISP to the campus users are all pseudo IP addresses, but some users require that their WWW servers be set up to publish information, in this case, we can use NAT to provide such services. We can bind multiple valid IP addresses to the external network card of the firewall, and then forward packets sent to one of the IP addresses to a user's WWW server through NAT technology, then, the response packet of the internal WWW server is disguised as the package sent by the legal IP address.
For example, Internet cafes that use dial-up Internet access, because there is only one valid IP address, some means must be used to allow other machines to access the Internet. Generally, the proxy server is used, but the proxy server, in particular, the application layer proxy server can only support limited protocols. If a new service comes out after a while, you can only wait for the proxy server to support the upgraded version of the new application. If Nat is used to solve this problem,
Nat not only achieves high access speeds, but also supports any new services or applications seamlessly.
Another aspect of the application is redirection, that is, when a packet is received, the packet is not forwarded, but redirected to an application on the system. The most common application is to use it with squid as a transparent proxy. It caches HTTP traffic and provides seamless access to the Internet.
3. Nat type
In the NAT-HOWTO of linux2.4, the author divides NAT into two types from the perspective of principle, that is, source NAT (SNAT) and destination NAT (DNAT), as the name suggests, SNAT is to change the source address of the forwarded data packet, and DNAT is to change the destination address of the forwarded data packet.
Ii. Principles
As we mentioned in the article "using iptales to implement a firewall with excessive packaging considerations", netfilter is a general architecture at the core of Linux and provides a series of "tables" (tables ), each table is composed of several "chains", and each chain can contain one or more rules. The default table is "filter ". However, when using NAT, the table we use is no longer a "filter", but a "Nat" table, therefore, we must use the "-T Nat" option to explicitly specify this. Because the default table is "filter", we do not need to explicitly specify "-T filter" when using the filter function ".
Like the filter table, the NAT table also has three default "chains" (chains). These three chains are also rule containers. They are:
Prerouting: You can define the rules for destination Nat here, because the router only checks the destination IP address of the data packet during routing, so in order to make the data packet can be correctly routed, we must perform destination Nat before routing;
Postrouting: You can define the source Nat rules here. The system will execute the rules in the chain after determining the route of the data packet.
Output: defines the destination Nat rule for locally generated packets.
Iii. Operation syntax

As mentioned above, when using the iptables NAT Function, we must use the "-T Nat" display in each rule to use the NAT table. Use the following options:
1. Operations on Rules
Add (append) a new rule to the end of a chain (-.
Insert a new rule (-I) at a location in the chain, usually at the beginning.
Replace a rule (-R) at a certain position in the chain ).
Delete a rule (-d) at a location in the chain ).
Delete the first rule (-d) in the chain ).
2. Specify the source address and Destination Address
Use -- source/-- src/-S to specify the source address (here/Represents or means, the same below), and use -- destination/-- DST/-S to specify the destination address. You can use the following four methods to specify an IP Address:
A. Use a complete domain name, such as "www.linuxaid.com.cn ";
B. Use an IP address, such as "192.168.1.1 ";
C. Use x. x/x. x to specify a network address, such as "192.168.1.0/255.255.255.0 ";
D. use X. x. x. x/x specifies a network address. For example, "192.168.1.0/24" indicates the number of valid digits of the subnet mask, which is usually used in UNIX environments.
The default subnet mask number is 32, that is, specifying 192.168.1.1 is equivalent to 192.168.1.1/32.
3. Specify Network Interfaces
You can use -- In-Interface/-I or -- Out-Interface/-O to specify network interfaces. From the principle of Nat, we can see that for the prerouting chain, we can only use-I to specify the incoming network interface; For postrouting and output, we can only use the network interface specified by-o.
4. Specify the protocol and Port
You can use the -- protocol/-P option to specify the Protocol. For UDP and TCP Protocols, you can also specify the port using -- source-Port/-- Sport and -- destination-Port/-- dport.
4. Preparations
1. Compile the kernel and select the following options during compilation. For details, see the article "using iptales to implement a firewall with excessive considerations:
Full Nat
Masquerade target support
Redirect target support
2. To use a NAT table, you must first load the relevant modules:
Modprobe ip_tables
Modprobe ip_nat_ftp
The iptable_nat module is automatically loaded at runtime.
V. Use instances
1. Source NAT (SNAT)
For example, change the source IP address of all data packets from 192.168.1.0/24 to 1.2.3.4:
Iptables-T Nat-A postrouting-s 192.168.1.0/24-O eth0-j snat -- To 1.2.3.4
It should be noted that the system does not perform SNAT until the packets are sent out during routing and overconsideration.
There is a special case of SNAT which IP spoofing is called masquerading. We recommend that you use it when using dial-up Internet access, or use it when the valid IP address is not fixed. For example
# Iptables-T Nat-A postrouting-O ppp0-J Masquerade
We can see that there is no need to explicitly specify the source IP address and other information at this time.
2. Destination SNAT (DNAT)
For example, change the destination IP address of all data packets from 192.168.1.0/24 to 1.2.3.4:
Iptables-T Nat-A prerouting-s 192.168.1.0/24-I eth1-J DNAT -- To 1.2.3.4
Note that the system performs DNAT before routing and excessive consideration.
There is a special situation of DNAT, that is, the so-called redirection, which is equivalent to changing the destination IP address of the qualified data packet to the IP address of the network interface when the data packet enters the system. It is usually used to form a transparent proxy with squid configuration. Assuming that the listening port of squid is 3128, we can use the following statement to import data from 192.168.1.0/24, the packet destined for port 80 is redirected to the squid listener.
Port:
Iptables-T Nat-A prerouting-I eth1-P TCP-s 192.168.1.0/24 -- dport 80
-J redirect -- to-port 3128
6. Comprehensive examples
1. Use dialing to drive LAN Access
Small enterprises and Internet cafes use dial-up networks to access the Internet. Usually, proxies are used. However, considering costs and protocol support, we recommend that you use IP spoofing to enable Internet access in the area network.
After the kernel is successfully upgraded, install iptables and execute the following script:
# Load related modules
Modprobe ip_tables
Modprobe ip_nat_ftp
# Mask IP addresses
Iptables-T Nat-A postrouting-O ppp0-J Masquerade
2. IP ing
Assume that an ISP provides Internet access to the campus. To facilitate management, the IP addresses assigned by the ISP to the campus users are all pseudo IP addresses, but some users require that their WWW servers be set up to publish information. We can bind multiple valid IP addresses to the external network card of the firewall, and then forward packets sent to one of the IP addresses to the internal WWW server of a user through IP ing, then, the response packet of the internal WWW server is disguised as the package sent by the legal IP address.
Let's assume the following scenarios:
The IP address assigned by this ISP to a WWW server is:
Pseudo IP: 192.168.1.100
Real IP: 202.110.123.100
The IP address assigned by this ISP to B's WWW server is:
Pseudo IP: 192.168.1.200
Real IP: 202.110.123.200
The IP addresses of the Linux firewall are:
Intranet interface eth1: 192.168.1.1
Internet interface eth0: 202.110.123.1
Then, we bind the real IP addresses allocated to units A and B to the firewall's Internet interface and run the following command as root:
Ifconfig eth0 add 202.110.123.100 netmask 255.255.255.0
Ifconfig eth0 add 202.110.123.200 netmask 255.255.255.0
After the kernel is successfully upgraded, install iptables and execute the following script:
# Load related modules
Modprobe ip_tables
Modprobe ip_nat_ftp
First, perform the destination NAT (DNAT) on all packets received by the firewall with the destination IP address 202.110.123.100 and 202.110.123.200 ):
Iptables-A prerouting-I eth0-D 202.110.123.100-J DNAT -- To 192.168.1.100
Iptables-A prerouting-I eth0-D 202.110.123.200-J DNAT -- To 192.168.1.200
Next, perform source NAT (SNAT) on the packets received by the firewall with the source IP addresses 192.168.1.100 and 192.168.1.200 ):
Iptables-A postrouting-O eth0-s 192.168.1.100-j snat -- To 202.110.123.100
Iptables-A postrouting-O eth0-s 192.168.1.200-j snat -- To 202.110.123.200
In this way, all data packets whose destination IP addresses are 202.110.123.100 and 202.110.123.200 will be forwarded to 192.168.1.100 and 192.168.1.200 respectively; all data packets from 192.168.1.100 and 192.168.1.200 are disguised as IP ing from 202.110.123.100 and 202.110.123.200.