Nat howto Simplified Chinese version (do not add to favorites)

Linux 2.4 Nat howto Simplified Chinese version

Rusty Russell, mailing list netfilter@lists.samba.org
$ Revision: 1.3 $ Date: 2002/06/05 13:21:56 $
Simplified Chinese: Foreign ghost netsnake
Thanks to the traditional Chinese netmanforever@yahoo.com
This document describes how to perform camouflage, transparent proxy, port forwarding, and Network Address Translation Based on other types of Linux 2.4 kernel ).

1. Introduction

2. Official Site and list

2.1 What Is Nat?

2.2 why do I need Nat?

3. Two types of NAT

4. Fast conversion from 2.0 and 2.2 kernels

4.1 I just want to pretend! Help!

4.2 about ipmasqadm

5. What can Nat control?

5.1 use iptables for simple selection

5.2 Key points about which packages should be selected for splitting

6. Let's talk about how to split the package.

6.1 source address Nat

6.1.1 disguise

6.2 Destination Address Nat

6.2.1 redirection

6.3 deep-level ing

6.3.1 multi-address selection within a range

6.3.2 create an empty Nat ing

6.3.3 standard NAT behavior

6.3.4 internal source port ing

6.3.5 what if Nat fails?

6.3.6 multiple mappings, overlaps and conflicts

6.3.7 modify the destination address of the locally generated connection

7. Specific protocols

8. Nat warning

9. Source Address Nat and Route Selection

10. Nat of the target address in the same network

11. Thanks

1. Introduction

Welcome, dear reader.

You will go deep into the fascinating (sometimes annoying) Nat world: network address translation. This howto can be your accurate guide to the linux2.4 kernel and later.

In linux2.4 (kernel version), a section called "netfilter" is introduced for splitting (mangling) packets. The previous layer provides Nat, which relies entirely on the previous kernel.

(Note: mangle cannot find any suitable translation. Sorry)

(C) 2000 Paul 'ruster' Russell. licensed under the gnu gpl.

2. Official Site and list location

There are three official sites: O thanks to filewatcher http://netfilter.filewatcher.org. O thanks to the Samba team and SGI http://netfilter.samba.org. So thanks to Harald welte http://netfilter.gnumonks.org. You can access all related sites through the following sites. Http://www.netfilter.org and http://www.iptables.org The following is the netfilter official email list Http://www.netfilter.org/contact.html#list.

2. 1. What is network address translation )?

Usually, the (IP) package in the network starts from their source (Address) (such as your computer) to their destination (such as www.gnumonks.org ), there will be a lot of different connections (LINKS): for example, I have 19 in Australia. These connections won't actually modify your package: They just pass out as they are.

Note: The links here should be considered as all network nodes, including hosts and routers. Generally, the router does not transfer the package as it is. It will modify at least one of them: TTL)

If one of these connections performs Nat, it will modify the source or target (address) of their packages ). As you guessed, this is not what the system has designed, but Nat has done something. Usually, when a NAT connection (host, server, or router) remembers how it splits a packet, and when the packet from the other end passes, it will split the response package in the opposite way, so the world is still running.

(Translator's note: mangle in this section should be considered more suitable for modification)

2. Why do I need Nat?

In a perfect world, you don't need it. At the same time, the main reason is:

Connect to the Internet using a modem

When you dial up the Internet, most ISPs only give you an IP address. You can send any source address package you want to send, but only respond to this (ISP gives you) address package will return. In this case, if you want to access the Internet from multiple machines (such as a home network), you need Nat.

This is the most widely used Nat function. In the Linux World, "masquerading" (disguise) is very famous. I call it SNAT (SNAT is source Nat, source address translation ), because you changed the source address of the first package.

(For details about the first packet of IP datagram, see the TCP/IP books)

Multiple (heavy) servers

Sometimes you want to change the destination address (route) of the package into the network ). This is often because (just like in the above example) you only have one IP address, but you want everyone to access it through the "real" ip address. If you overwrite the target address of the package, it will be okay. In earlier Linux versions, such Nat is called port forwarding.

A common variant is Server Load balancer, which performs ing on a group of machines. If you want to strictly limit the proportion, you may need to refer to Linux virtual server. Http://linuxvirtualserver.org

Transparent proxy

Sometimes you may want to pass your linux package to a local program. This requires transparent Proxy: the proxy is a program located between your network and the external world to help the two communicate. It is called transparent because your network does not know that he is talking to the proxy. Of course, the proxy does not work normally.

Squid can be configured to do this, which is called redirection or transparent proxy in previous Linux versions.

3. Two types of NAT

I divide NAT into two different types: Source NAT (SNAT) and target NAT (DNAT ). (Note: SNAT and DNAT will not be translated below, and source Nat and destination NAT will be used directly)

Source NAT refers to modifying the source address of the first package: that is, changing the source of the connection. Source Nat performs the post-Routing (Action) at the last moment before the packet is sent out, which is a special form of SNAT.

Destination NAT refers to modifying the destination address of the first package: that is, changing the destination of the connection. Destination Nat always performs before routing after the package enters (immediately ). Port forwarding, Server Load balancer, and transparent proxy all belong to DNAT.

4. Fast conversion from 2.0 and 2.2 kernels

If you are still busy switching from 2.0 (ipfwadm) to 2.2 (ipchains), sorry. However, this is also a message about the semi-parameter.

First, you can easily use ipchains and ipfwadm, just as before. However, you need to install the "ipchains. O" or "ipfwadm. O" kernel module in the latest netfilter. They are mutually exclusive (you will be warned) and cannot be combined with any other netfilter module.

Once a module is loaded, you can use ipchains and ipfwadm as before, but there are still the following differences:

Use ipchains-m-S, or use ipfwadm-m-s to set camouflage timeout is no longer valid. Because the timeout has been transferred to the new Nat architecture, this cannot be done.

In the detailed camouflage list, the init_seq, Delta, and previus_delat fields are always zero.

-Z-l of the zeroth and list Counters is no longer valid: the counters cannot be zeroed.

This backward compatible part may not work effectively with most connections: Do not use it in your company Gateway

Developers should also note that:

You can now bind a port between 61000 and 65095, regardless of whether you use disguise. The previous disguised code occupies this part of the port, so it cannot be used.

The unwritten "getsockname", transparent proxy can be used to find the real destination addresses of connections that are no longer working.

The unwritten "bind-to-foreign-address" is also not enabled: this is an idea for a complete transparent proxy.

4. 1. I just want to pretend! Help!

This is what most people want. If you use PPP dial-up to access the Internet to dynamically obtain the IP address (if you do not know it, it should be), you may just want to tell your machine that all packets from the internal network, it should look the same as the package on the PPP connection server.

# Load the NAT module (which replaces other modules)

Modprobe iptable_nat

# In the NAT table (-T Nat), add a rule (-a) to the postrouting after the route entry)

# All packets sent from ppp0 (-O ppp0) will be disguised (-J masquerade ).

Iptables-T Nat-A postrouting-O ppp0-J Masquerade

# Enable IP Forwarding

Echo 1>/proc/sys/NET/IPv4/ip_forward

Note that you have not performed any packet filtering at this time: if necessary, see the packet filtering howto.

What about ipmasqadm?

This depends entirely on the user, so I am not worried about backward compatibility. You can simply use "iptables-T Nat" for port forwarding. For example, in linux2.2, You need:

# In the 2.2 kernel, switch the TCP packet pointing to port 1.2.3.4 8080 to port 80 of 192.168.1.1

Ipmasqadm portfw-a-p TCP-l 1.2.3.4 8080-r 192.168.1.1 80

Now you can:

#2.4 kernel, add a rule to the NAT (-T Nat) Table and point

#1.2.3.4 (-D 1.2.3.4) TCP packet (-p tcp) Destination Address (-j dnat) of port 8080 (-- dport 8080)

# Be redirected to port 80 (-- To 192.168.1.1: 80) of 192.168.1.1 ).

Iptables-A prerouting-T nat-p tcp-D 1.2.3.4 -- dport 8080-j dnat -- To 192.168.1.1: 80

5. What can Nat control?

You need to create Nat rules to tell the kernel which connections will be changed and how they will be changed. To do this, we need to use a much-used iptables tool and tell it to use the specified "-T Nat" option to modify the NAT table.

The Nat rule table contains three lists called "Links": each rule checks packets sequentially until there is a match. Two of them are called prerouting (for destination Nat, check when the package enters), postrouting (for source Nat, check when the package leaves), and third is output, which can be ignored here.

If I have enough artistic talent, the following figure will describe the above concepts accurately:

_____ _____ / / / / PREROUTING -->[Routing ]----------------->POSTROUTING-----> /D-NAT/ [Decision] /S-NAT/ | ^ | | | | | | | | | | | | --------> Local Process ------

For each of the above points, when we view the packet in the connection (in), if it is a new connection, we can view the corresponding link in the NAT table to see what needs to be done. The result will be used as a response to all packages after the connection.

(Note: the connection here refers to a connection such as an http session, rather than a physical line or node)

5. 1. Use iptables for simple selection

Some standard options of iptables are listed below. All the double bars (--) options can be abbreviated. As long as iptables can distinguish them from other options, it is enough. If your kernel supports iptables in the module mode, you need to first use the command: insmod ip_tables to load ip_tables.o

This is the most important option table selection, "-T ". For all Nat operations, you must use '-T Nat' to specify the NAT table. Next, add a new rule to the end of the chain (for example, '-A postrouting' to the postrouting chain ), or insert a rule (for example, '-I prerouting') from the beginning of '-I ').

You can specify the source (Address) ('-S' or' -- source') and destination (address) of the packet you want to perform Nat) ('-d' or' -- destination '). These two options can be a single IP address (for example, 192.168.1.1), a name (for example, www.gnumonks.org), or a network address (for example, 192.168.1.0/24 or 192.168.1.0/255.255.255.0 [Translator: the two are equivalent, but they indicate different methods]).

You can specify the matching interface to enter or send out. However, whether it can be specified depends on the chain you want to write the rule to: prerouting chain you can only choose to enter the interface, postrouting you can only choose to send the interface. If an error is returned, iptables returns an error.

5. 2. Key points about which packages should be selected for splitting (mangle)

As mentioned above, you can specify the source address and target address. If you ignore the source address option, all source addresses will be matched. Similarly, if you ignore the target address, all target addresses will be matched.

You can also mark a specified protocol ('-p' or' -- Protocol'), such as TCP or UDP. Only packets of this Protocol will be matched. The main reason for doing so is to specify the Protocol so that additional options can be added: specify the '-- source-port' source port and' -- destination-port' destination port options (abbreviated as '-sport' and '-dport ').

These options allow you to match only the packages of the specific source port and target port. These are useful for redirecting Web requests (TCP port 80 or port 8080) without affecting other packets.

These options must follow the '-p' option (this may affect the Connection Library that loads the Protocol ). You can use the port number or the (port) name from the/etc/serverices file.

All the different choices you can make for a package are listed in the detailed and terrible User Manual (man iptables ). (For more information, see the Chinese version of iptables man page)

6. Let's talk about how to split the package.

Now we know how to select the package we want to split. To fulfill our rules, we need to tell the kernel exactly how we want it to be done.

6. 1 source Nat

You want to perform source Nat and change the source address of the connection. This is done in the postrouiing chain at the last moment it will send. This is an important detail. Everything else on the Linux host (routing and packet filtering) will see the unchanged package. It also means that the '-O' option is available.

Use '-j snat' to perform source Nat. The '-- to-source' option specifies one or more IP addresses) one or more optional port numbers (only for UDP and TCP Protocols ).

# Change the source address to 1.2.3.4

# Iptables-T Nat-A postrouting-O eth0-j snat -- To 1.2.3.4

# Change the source address to 1.2.3.4, 1.2.3.5, or 1.2.3.6.

# Iptables-T Nat-A postrouting-O eth0-j snat -- To 1.2.3.4-1.2.3.6

# Change the source address to 1.2.3.4 and Port 1 to 1023.

# Iptables-T Nat-A postrouting-p tcp-O eth0-j snat -- To 1.2.3.4: 1-1023

6. 1. 1. disguise

A special case of source Nat is called disguise. It can only be used when IP addresses are dynamically allocated. For example, standard dialing service (SNAT for static IP addresses ).

You do not need to specify the source address for the IP address disguise. It uses the interface (Address) sent from the package as the source address. But more importantly, if the line is closed, the connection (lost in any case) will be forgotten, this means that the packets returned after the new IP address is enabled will be a bit problematic (that is, the packets sent before the response is dropped ).

# Disguise all the items sent by ppp0

# Iptables-T Nat-A postrouting-O ppp0-J Masquerade

6. 2 destination Nat

Used for the prerouting chain, when the package just enters. This means that everything on the machine is seen as a "real" destination (Translator's note: A modified destination address ). It also means that '-I' is available.

Use '-j dnat' to implement destination Nat. The '-- to-destination' option specifies one or more IP addresses) one or more optional port numbers (only for UDP and TCP Protocols ).

# Change the target address to 5.6.7.8.

# Iptables-T Nat-A prerouting-I eth0-J DNAT -- To 5.6.7.8

# Change the target address to 5.6.7.8, 5.6.7.9, or 5.6.7.10.

# Iptables-T Nat-A prerouting-I eth0-J DNAT -- To 5.6.7.8-5.6.7.10

# Change the target address of Web transfer to Port 5.6.7.8 and port 8080.

# Iptables-T Nat-A prerouting-p tcp -- dport 80-I eth0-J DNAT -- To 5.6.7.8: 8080

6, 2, 1 redirection

A special case of destination Nat is called redirection. It is a simple and convenient form of DNAT on the interface.

# Send the incoming port 80 web to our squid (transparent) proxy

# Iptables-T Nat-A prerouting-I eth1-P TCP -- dport 80-J redirect -- to-port 3128

Note that squid must be configured as a transparent proxy.

6. 3 deep ing

There are also some details about Nat that most people may not use.

6. 3. 1. Multi-address selection within a range

If the IP address range is specified, the machine selects the IP address that is currently used at least. This achieves the simplest load balancing.

Create an empty Nat ing.

You can use the '-J accept' target to allow the connection to pass through without Nat.

6. 3. 3. Standard NAT behavior

The default behavior is to make the smallest change to the connection according to the internal constraint rules specified by the user. That is, unless necessary, port re ing is not required.

Internal Source Port ing

If another connection overwrites a connection, the source address conversion still occurs even if the connection does not require Nat. Considering IP spoofing, this situation is very common.

1. A Web connection from Port 192.168.1.1 1024 to port www.netscape.com 80 has been established

2. It is disguised as the IP address of the server (1.2.3.4)

3. The IP disguised server tries to establish a web connection (its own external interface IP address) from port 80 of www.netscape.com to port 1.2.3.4 1024)

4. The Nat code will modify the source address of the second connection to 1025, so that the two (connections) will not conflict.

When this internal source address ing occurs, the port is divided into three levels:

Ports lower than 512

Ports between 512 and 1023

Port over 1024

Internal port ing will never be mapped to other types.

6. 3. 5 What if Nat fails?

If you cannot create a separate ing for the connection as requested by the user, the (Package) will be deleted. This applies to packages that cannot be classified as any connection because they are malformed or the host memory overflows.

Multi- ing, overlap, and conflict

Your Nat rules can map packages to the same range. Nat code is so smart that it can avoid conflicts between them. Therefore, the two rules map the source addresses of 192.168.1.1 and 192.168.1.2 to 1.2.3.4.

In addition, you can map to a real IP address that is already in use, as long as the addresses also pass through this server. So if you are assigned to a network (1.2.3.0/24), but one internal network uses these addresses, and the other uses the private Address 192.168.1.0/24, you can simply access the source address of NAT 192.168.1.0/24 to the network address of 1.2.3.0 without worrying about conflict.

# Iptables-T Nat-A postrouting-s 192.168.1.0/24-O eth1-j snat -- To 1.2.3.0/24

The same logic also applies to the addresses of NAT servers. This is the reason for disguised work (the disguised package shares an interface address with the "authentic" package ).

Even, You can map the same packages to many different targets and they will be shared. For example, if you do not want to map anything to 1.2.3.5, you can do this:

# Iptables-T Nat-A postrouting-s 192.168.1.0/24-O eth1-j snat -- To 1.2.3.0-1.2.3.4 -- To 1.2.3.6-1.2.3.254

6. 3. 7. Modify the target address of the locally generated connection

Nat Code allows you to insert DNAT rules to the output chain, but this is not fully supported in 2.4 (available, but new configuration options must be used, some testing code. So unless someone is crazy about writing this part of code, I don't believe it will be implemented soon ).

The current restriction is that you can only modify the target address to the Local Machine (for example, '-j dnat -- To 127.0.0.1'), but not to any other machine. Otherwise, the address may not be correctly converted.

7. Specific protocols

Some protocols do not want to be Nat. Two extensions of these protocols must be specified: one is the connection trace of the Protocol, and the other is the real Nat protocol.

In the released netfilter, there are available FTP modules: ip_conntrack_ftp.o and ip_nat_ftp.o. If you load any module to your kernel (or compile it in), any nat on the FTP connection is feasible. If not, you can only use Passive FTP (Passive FTP). If source Nat is used, it may not work reliably.

8. Nat warning

If you perform nat on the connection, all packets transmitted in two directions (inbound and outbound networks) must pass through the NAT server. Otherwise, the NAT server may be unreliable. In particular, the connection trace code restructured the parts, which means that not only the connection trace cannot work reliably, but even all packets cannot pass, because the parts are discarded.

9. Source Nat and Routing

If you want to perform SNAT, you must note that all the responses from the SNAT package will be sent to the NAT server. For example, if you map the source address of some sent packets to 1.2.3.4, the external router must know the address of the sent response packet to the NAT server. You can do this:

1. If you perform SNAT (routing and other tasks are normal) on the local address, you do not need to do anything.

2. If you perform SNAT to unused addresses on the local LAN (for example, if you map to 1.2.3.99 and your unused IP addresses in the 1.2.3.0/24 network ), your Nat server needs to correctly respond to ARP requests like that address (99. The simplest way is to create an IP alias, for example:

# IP address add 1.2.3.99 Dev eth0

3. If you perform SNAT on a completely different address, you must ensure that the machine to which the SNAT package arrives will return the NAT server. If the NAT server is their default gateway, it will be done. Otherwise, you need to publish a route (if the routing protocol is running) or manually add a route to each machine.

10. Destination Nat in the same network.

If you want to forward ports to the same network, you need to confirm that all future packets and response packets are forwarded through the NAT server (so that they can be modified ). Now the NAT code (from 2.4.0-test6) will block the ICMP redirection sent by the NAT packet in the same group, but the server will continue to respond directly to the customer. (Does not understand this response)

In the classic case, internal personnel try to access your "public" Web server, and it is actually DNAT from the public address (1.2.3.4) to the internal machine (192.168.1.1), for example:

# Iptables-T Nat-A prerouting-D 1.2.3.4-p tcp -- dport 80-j dnat -- To 192.168.1.1

One way is to run an internal DNS server that knows the real (internal) IP address of your public (external) Web server and forwards all other requests to the external DNS server. That is to say, your web server can record real internal IP addresses.

Another way is to allow the NAT server to map the source address of the connection to itself and let the server send a response through it. For example, we can do this (assuming the internal IP address of the NAT server is 192.168.1.250 ):

# Iptables-T Nat-A postrouting-D 192.168.1.1-s 192.168.1.0/24-p tcp -- dport 80-j snat -- To 192.168.1.250

Because the prerouting rule will run first, for internal Web servers, the packet direction has long been determined. We can determine the source IP address.

11. Thanks

Thanks first to watchguard, and David Bonn, who believed in the netfilter idea enough to support me while I worked on it. and to everyone else who put up with my ranting as I learned about the ugliness of NAT, especially those who read my diary.

First of all, I would like to thank you for believing in netfilter ideas and supporting my watchguard and David Bonn during my work. And all the friends who have corrected Nat, especially those who have read my diary.

Rusty.

All pages ended here.