Ubuntu-based gateway Configuration (1)-NAT

NAT, called network address translation, means that the NAT function can be used if you want all people to be able to surf the Internet in the event of a common IP shortage.

A NAT host must have two IPs: one is a shared IP with the Internet communication, and the other is a private IP that communicates with the internal LAN. We know that all the information on the network packet header section contains the source IP address and destination IP address, through the NAT host, you can send the packet from the internal LAN to the Internet from the source IP to make changes to the NAT host's common IP, and then the NAT host record the corresponding relationship of this change, In this way, the internal host can use a common IP network, in turn, the same, from the outside of the packet through the NAT host, the NAT host will packet the purpose of the IP changes, so that the external network host can access the Intranet machine. Through the use of NAT, not only saves the common IP, but also can effectively solve the problem of enterprise common IP insufficiency.

To implement the NAT host feature, you need a kernel that contains the NetFilter architecture. NetFilter is a filtering mechanism of Linux system, the implementation of the function room iptables software to achieve.

Iptalbes is a tool for building firewalls in Linux, and the biggest feature of firewalls is the ability to restrict certain access to the host. For Linux system, firewall mainly has packet filter type and proxy server, this paper mainly packet filter firewall. The packet filter wall is mainly capable of analyzing the network information packet in and out of the machine, if it is met with a certain condition let it pass, the packet is discarded if it does not meet the condition, which can effectively protect the security of the host. But packet-filtered firewalls are only used to match conditions, which may block some of the useful information.

Iptables can be used to limit the packets passed or entered in the following ways:

1) Limited by the Protocol of the packet, there are mainly Tcp,ip and ICMP protocols.

2) qualify according to the source port or destination port of the packet.

3) is qualified according to the source IP of the packet or the destination IP.

4) qualify according to the MAC address of the packet.

Iptables mainly consists of a few tables commonly used with the filter table and NAT table, the filter table is mainly used for packet filtering, and the NAT table is mainly used to build a NAT host. Each table is made up of several chains, each of which is the rule that the packet is judged. The filter table is made up of three chains: the input chain, the ouput chain, the forward chain, and each chain has a specific function. The input chain is the chain that controls all the packets that enter the machine, and the ouput chain is the chain that controls all the packets that go out of the machine, and the Froward chain is the forwarding packet control chain. Each chain is made up of a number of rules, which are the conditions under which the packet is judged, and each rule sets the behavior that matches the condition, either accepts it or discards it, or conforms to the conditions specified by the rule. The NAT table contains three chains: The Preposting chain, the postrouting chain, and the output chain, where the preposting chain is primarily used to modify the destination IP address, which is used to configure Dnat, and the postrouting chain can be used primarily to modify the source IP address. Used to configure Snat.

Let's look at how the Nat gateway is configured :

In the initial state, we use the wireless network card on the NAT host (laptop) as the extranet exit, the initial IP is obtained by DHCP, is 192.168.1.108.

We set the network address of the intranet to 192.168.2.0, the wired network card on our NAT host as the gateway to the intranet, we set its IP address to 192.168 by 1 instructions. 2.1:

Figure 1

After setting we can see the internal and external network network card situation such as 2:

Figure 2

Then we use the iptables instruction for NAT network configuration, first clear the set of iptables command, specific instructions such as 3:

Figure 3

Then open the NAT gateway to allow the data packet to enter, instructions such as 4 (the rule is added directly to the last of the input chain):

Figure 4

Then set the forwarding enable of the iptables, instructions such as 5:

Figure 5

Then we set up the intranet communication through Iptables, so that when the intranet data is sent outward, the source address of the packet is changed to the IP address of the external network card, the specific instructions such as 6:

Figure 6

Then, look at the settings of the iptables, instructions and display conditions such as 7:

Figure 7

When you see the display of the last line as above indicates that the configuration was successful. Finally, we turn on the IP forwarding function of the Ubuntu system, specific instructions such as 8.1:

Figure 8 . 1

Next, we set the extranet to a specific host on the intranet ( 192.168.2.99 ), in the experiment we placed a webpage on the 192.168.2.99 intranet host, and then accessed the page through the extranet successfully. We need to set the following iptables directive:

Figure 8.2

The configuration of this NAT gateway is complete.

Next, we use a WINDOWS7 host to our intranet network card (wired network card), and its IP address is set to 192.168.2.100 such as 9:

Figure 9

then we in the intranet host on each ping intranet gateway, ping outside the network (192.168.1.0 network segment) a host, as well as Baidu homepage can be successful. The specific situation is as follows:

Figure 10

Ubuntu-based gateway Configuration (1)-NAT