Three links required by the NAT table:
1. prerouting: You can define the rules for destination Nat here, because the router only checks the destination IP address of the data packet during routing, so in order to make the data packet can be correctly routed, we must perform destination Nat before routing;
2. postrouting: You can define the source Nat rules here. The system will execute the rules in the chain after determining the route of the data packet.
3. Output: defines the destination Nat rule for locally generated packets.
Required action options(In uppercase)
| Redirect | Redirects data packets to a port of another host. Usually, it is used to implement transparent proxy and open some internal network services. |
| SNAT | Changes the source address of a data packet. |
| DNAT | Change the destination address of the Data Packet |
| Masquerade | IP Spoofing: only applies to IP spoofing of dynamic dial-up Internet access such as ADSL. If the Host IP address is statically allocated, use SNAT |
Prerrouting: DNAT and redirect (before routing) only support-I, not-o. Modify the destination address before creating a route
Postrouting: SNAT and masquerade only support-o, not-I. After the route is made, modify the source address
Output: DNAT, redirect (local) DNAT, and redirect rules are used to process outbound data packets generated by the NAT host itself.
1. Enable the kernel routing function.
To implement Nat, change the value in the file/proc/sys/NET/IPv4/ip_forward to 1 (the default value is 0 ).
2. Configure different NAT actions
1) masquerade: indicates the disguise of IP addresses used for Dynamic IP Address Allocation: Add a rule to the postrouting chain in the NAT table: all packets sent from the ppp0 port will be disguised (masquerade)
| Iptables-T Nat-A postrouting-O ppp0-J Masquerade |
To automatically implement Nat when the system starts, add
# Echo "1">/proc/sys/NET/IPv4/ip_forward
#/Sbin/iptables-T Nat-A postrouting-O ppp0-J Masquerade
2) SNAT: This is generally used for normal internet sharing.
Change the source address of all data packets sent from the eth0 (external network adapter) to 61.99.28.1 (a network segment is specified here, which is generally not specified)
| Iptables-T Nat-A postrouting-s 192.168.1.0/24-O eth0-j snat -- To 61.99.28.1 |
3) DNAT: used for smart DNS.
Intelligent DNS: whether the client enters any IP address in the DNS entry, it will direct it to a dnsip specified by the server.
Before routing, all the packets destined for port 53 from eth0 (intranet Nic) are sent to 1.2.3.4 this server for resolution.
Iptables-T nat-I prerouting-I eth0-P UDP -- dport 53-J DNAT -- to-destination 1.2.3.4: 53 Iptables-T nat-I prerouting-I eth0-P TCP -- dport 53-J DNAT -- to-destination 1.2.3.4: 53 |
4) Redirect: Redirection, which must be used when the squid transparent proxy
All data from port 80 and port 82 of requests from eth1 are forwarded to port 80, which is processed by squid.
| Iptables-T Nat-A prerouting--I eth1-P TCP-M multiport -- dports 80, 82-J redirect -- to-ports 80 |
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
