NAT is generally divided into SNAT, DNAT, and PNAT. This article mainly describes how to configure NAT using iptables. Therefore, the differences between the three NAT methods and the application scenarios are briefly described as follows: the destination address of the source address translation remains unchanged. rewrite the source address and create a NAT table entry on the local machine. when the data is returned, rewrite the destination address data as data and send it out based on the NAT table.
NAT is generally divided into SNAT, DNAT, and PNAT.
This article mainly describes how to useIptablesConfigure NAT, so the differences between the three NAT methods and the application scenarios are briefly described.
SNAT: source address conversion
The destination address remains unchanged. rewrite the source address and create a NAT table entry on the local machine. when the data is returned, rewrite the destination address data as the source address when the data is sent out based on the NAT table and send it to the host.
At present, most of them solve the problem that intranet users use the same public address to access the Internet.
DNAT: Destination address translation
In contrast to SNAT, the source address remains unchanged, and the destination address is modified again. a NAT table item is created on the local machine. when the data is returned, the source address is changed to the destination address when the data is sent based on the NAT table, and sent to the remote host
On the basis of DNAT, you can perform PNAT (Port conversion, also known as Port Ing) based on the port of the request data packet. you can rewrite different destination addresses for different ports of the request data packet, to send to different hosts
This is usually used when a public IP address is used for different services. In addition, NAT can be used to hide the real IP address of the backend server, which is more secure.
Before using iptables for nat, let's talk about the basic principles of iptables.
In this model, the nat implementation is completed, and the data goes through the three links prerouting-forword -- postrouting.
Analyze the data flow of SNAT
First, go to prerouting and find that it is not the address of this segment, and then start to find the route table (the process of finding the route is between prerouting and forword). then, the route is forwarded through the forword chain, NAT translation is performed when postrouting is enabled.
In this process, the NAT translation step is implemented on the postrouting chain. the reason why the prerouting is no longer used for nat is that before the packets come in, I still don't know whether it is the CIDR block address or the Internet address.
Analyze the DNAT data flow
In DNAT, NAT is performed on the prerouting chain. As mentioned before, after the data enters the host, the routing selection process is between prerouting and forword. Therefore, address translation should be performed first before routing selection, and then forword, finally go out from postrouting
In theory, I talk about a bunch of ideas. next I will use the experiment environment to verify it (I will compare it with the graph drawn by dia... It will be used in ubuntu .)
Pc1 is my local machine, the system is ubuntu12.04, and NAT and PC2 are vmwarevirtual machines.
Nat host network configuration
SNAT
Before performing nat, you must enable the routing function. otherwise, data packets cannot be connected to forword.
[Root @ localhost ~] # Echo 1>/proc/sys/net/ipv4/ip_forward
Add a nat table entry
[Root @ localhost ~] # Iptables-t nat-a postrouting-s172.16.93.0/24-j SNAT -- to-source 10.0.0.1
Indicates that on the postrouting chain, the source address of the data packet whose source address is 172.16.93.0/24 is converted to 10.0.0.1.
View the following table items
Verification results:
First check the local network configuration
Add a static route entry to the 10.0.0.0/24 CIDR block
Lust @ host :~ $ Sudo route add-net 10.0.0.0/24 gw172.16.93.129
Then, capture the vmnet1 network segment on the host
Lust @ host :~ $ SudoTcpdump-I vmnet1? V
Ping 10.0.0.2 on the host and observe the captured packets.
Through packet capture, we can find that the source address to go to 10.0.0.2 is 10.0.0.1, which indicates that the source address is successfully changed by nat.
The above is the lab verification section
Here we will introduce a common SNAT option: MASQUERADE
This option can be used on hosts that dynamically obtain IP addresses. it is often used for domestic adsl dialing.
Iptables-t nat-a postrouting-s 172.16.93.0/24-o eth1-jMASQUEREADE
It is best to use the-o interface to specify the interface from which the interface is going out. MASQUEREADE will call the interface address as the source address (you can also do this without specifying the interface, however, it is best to configure multiple IP addresses on the host)
DNAT
DNAT is no longer tested. it is similar to SNAT. here we will introduce several common usage methods.
In DNAT, rules must be defined in the PREROUTING chain.
Iptables-t nat-a prerouting-d 10.0.0.1-j DNAT? -To-destination 172.16.93.1
This rule forwards data packets whose request IP address is 10.0.0.1 to the backend server 172.16.93.1.
Iptables-t nat-a prerouting-d 10.0.0.1-p tcp? -Dport 80-jDNAT? -To-destination 172.16.93.1
This rule forwards data packets whose request IP address is 10.0.0.1 and Port is 80 to the backend server 172.16.93.1. by defining different ports, you can implement PNAT, forward different port requests from the same IP address to different backend hosts.
Iptables-t nat-a prerouting-d 10.0.0.1-p tcp? -Dport 80-jDNAT? -To-destination 172.16.93.1: 8080
Based on the preceding rule, the destination port of the data packet sent to the backend is changed to 8080, and port 8080 is used on the web server of the backend host to receive access, which can better protect the backend host.
The NAT part of the iptables series is written here. if you have any questions, leave a message. The next article will show how to use the 7lay of iptables to implement layer-7 access control, that is, the gateway proxy firewall mentioned in the first article can control the network access of applications such as qq and bt.