Network Address Translation (NAT)

We’ve already looked at one form of NAT, IP Masquerading. That’s the simplest form of NAT and will take care of a lot of situations where you’re just trying to use one connection for a number of computers.

Now we’ll take a quick look at doing full-blown NAT, in case you’ve got a more complicated setup that calls for it.

What’s the Difference Between NAT and IP Masquerading?

To the casual observer, there might be some confusion between NAT and IP Masquerading. However, there are some distinctive differences that will help you to know which one you’ll want to use.

Actually, IP Masquerading is a form of NAT. In some instances you have a group of computers that you want to share one public IP address. In this case, you’ll want to use IP Masquerading to make those computers share that precious IP address. This is basically a stripped-down version of NAT.

On the other hand, let’s say you have several valid IPs, but they’re dynamic IP addresses. In this case, you’d use NAT on your router to allow each computer to use one of the public IP addresses, without actually being directly connected to the Internet and without having to configure dynamic IPs at the host level. Each machine could have its own internal network static IP while using NAT to have a public IP address of its own.

In most scenarios, you’ll be able to stick with IP Masquerading. However, if you need the full functionality of NAT, you’ve got it at your fingertips.

Setting up NAT with iptables

As mentioned earlier in the section on IP Masquerading, you’ll need to load the iptable_nat module.

A Quick Note on Module Names

If you’ve ever gone poking through the directories where your modules are stored or watched your computer as it boots, you’ve probably noticed that all modules end with a *.o extension. For instance, the iptable_nat module filename is actually iptable_nat.o. However, you only need to tell modprobe or insmod to load iptable_nat. We only bring this up because, occasionally, folks get confused and try to load iptable_nat.o and get frustrated when the program says “Can’t locate module iptable_nat.o” when they know that they’ve got that module. It’s an easy mistake to make, and we see it on the news-groups occasionally, so we thought we’d mention it.


Source NAT

The first type of NAT we’ll look at is Source NAT, or changing the source address of a packet before it heads out into the world. If you’ve already gone through the section on IP Masquerading earlier in this chapter, then you’ve gotten a taste of Source NAT.

IP Masquerading is a limited type of Source NAT that maps multiple addresses to one address. It’s also possible to map source addresses to public addresses on a one- toone basis or to map to one of several source addresses.

Let’s say you have a range of public IP addresses from 1.2.3.4 to 1.2.3.10 (yes, we know those aren’t legal) and you want to enable the router to change the source addresses to one of those addresses. Note that this will happen after any other packet mangling so that the last step in the packet’s traversal of the kernel is having the source address changed.

To achieve Source NAT, you will specify a packet and then jump to the target of the rule—in this case Source NAT (-j SNAT ). Here’s what the command would look like: 

iptables -t nat -A POSTROUTING -o eth1 -j SNAT -to 1.2.3.4-1.2.3.10

When specifying the range of addresses you want to use, simply indicate a range using a dash like this ——to 1.2.3.4-1.2.3.10.Wasn’t that easy?

Destination NAT

The flip side of all this is Destination NAT, or rewriting the destination of incoming packets.This is done before any other packet mangling, so that you can set rules based on internal hosts and incoming packets that have been DNAT’ed will match the right rules.

To perform Destination NAT, you set up rules that will match incoming packets and rewrite them so they’ll travel wherever you’d like to send them. Here’s a simple example: 

iptables -t nat -A PREROUTING -i eth0 -j DNAT –to 10.0.0.4-10.0.0.14

This will rewrite packets coming in through the first Ethernet interface to one of the internal machines with an IP address of 10.0.0.4 to 10.0.0.14.

You also can set the rule to match incoming ports, so if you only wanted to perform DNAT on incoming HTTP requests, for instance, you could set a rule that matches incoming packets headed for port 80. 

iptables -P ACCEPT nat 
iptables -t nat -A PREROUTING -i eth0 -p tcp –destination-port 80 -j DNAT –to 
10.0.0.13

Assuming that 10.0.0.13 is your web server behind the router/firewall, all HTTP requests would be sent to it. This also can be useful to direct HTTP requests to one machine, HTTPS to another, and so forth. This allows you to spread services across a number of machines while the outside world interacts with them seamlessly.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset