Linux 2.4 NAT HOWTO
@RRusty Russell, mailing list netfilter@lists.samba.org
RH netmanforever@yahoo.com
v1.0.1 Mon May 1 18:38:22 CST 2000
yzp 2.4 Linux h masqueradingNtransparent proxyingNport forwardingNM
Network Address Translations C
______________________________________________________________________
Table of Contents
1. Introduction
2. xMqHBVS
2.1 Network Address Translation?
2.2 n NAT OS
3. NAT
4. q 2.0 2.2 t
4.1 RTuQn]wT
4.2 ipmasqadm FS
5. n NAT
5.1 iptables
5.2 D] mangle `
6. n Mangle ]
6.1 Source NAT
6.1.1 ] (Masquerading)
6.2 Destination NAT
6.2.1 V (Redirection)
6.3 i@BM(Mappings)
6.3.1 P@dXa}(Multiple Addresses)C
6.3.2 NAT M
6.3.3 NAT (Behaviour)
6.3.4 fM
6.3.5 NAT |S
6.3.6 XMN|NM(clash)
6.3.7 sua
7. Sw
8. NAT @ (caveats)
9. Source NAT P
10. bP@W Destination NAT
11. P
______________________________________________________________________
1. Introduction
RMwzT
zNnOHJ(Z) NAT(Network Address Translation) @MPMziHo HOWTO Linux 2.4
HTnOC
b Linux 2.4 M@s `netfilter' FFMOM (mangling* )]CbAW@hMNO NAT \FMhOH@C
(R_M@ mangle o@MGbLSILMdLnhrDnCojjoNMLNoFMvhzaC)
2. xMqHBVS
eTxisR
o P Filewatcher (http://netfilter.filewatcher.org)
.
o P The Samba Team and SGI (http://www.samba.org/netfilter)
.
o P Harald WeltE (http://netfilter.gnumonks.org)
.
x netfilter lMhiHoR Netfilter List
.
2.1. Network Address Translation?
@MbW]q(zaq)XhMMFa(www.gnumonks.org)M|gL\\hhPs(links)RNbDwNj 19
hCS@s|uhz]RLONeXhwC
p@s| NAT MMN|gL]aa}CpzQoMoDtQ]poMO NAT }wCq`n NAT su|Op mangled
]MM^]qt@VLMMNL mangling ^]MHFu@_FC
2.2. n NAT OS
b@MzLoCbeMOzR
modem W
jh ISP bzsWhu|z@@ IP a}CzwMHa}]eXhMu^oa}] iH^zCpGzQhxPD(pa)zLsW
internet MzNn NAT FC
o]NO NAT `BMb Linux @HNO `masquerading(]N)' FC SNATM]zF@]
source() a}tGC
hA Mz|QhiJz]VCo`O](pWz)zu@ IP a}MzoQOHs `u' IP
a}DhCpGzgoe]a}MozNiHzFC
@`Ot(load-sharing)M]NOb@W]M(mapping)@Co NAT MbHe Linux ]NQ port-
forwarding C
zNz(Transparent Proxying)
Mz\QnC@gLz Linux
D]eD@{hCoNnizNz@FR@NzNO@zM {Mt_qCzMhO]zLDbM@NzMMFMDNzAu@FaC
Squid iHtmou@MoNObL Linux V(redirection)NzNzFC
3. NAT
N NAT PR Source NAT (SNAT) P Destination NAT (DNAT)
Source NAT NOzN@]a}RpMzJsu caching @CSource NAT |b]XueNn post-routing
@C](Masquerading)NO@ SNAT SC
Destination NAT NOzN@]aa}RpznXsu caching @CDestination NAT |b]quiJNWn
pre-routing @CPort forwardingNtNHzNzM DNATC
4. q 2.0 2.2 t
D`pMpzMq 2.0(ipfwadm) 2.2(ipchains) CLMo]O bC
MziH@pa ipchains M ipfwadmCnoMznNs netfilter M `ipchains.o'
`ipfwadm.o' JCO(zwiF)MP]M netfilter PXb@_C
@@QJMzNiHp` ipchains M ipfwadm FM]pU@R
o ipchains -M -SMO ipfwadm -M -s @ONAC]O]wwgs NAT cMHo]NSFC
o bC ini_seqNdelteNM previous_delta MNsC
o Pks(zeroing)MCO(counter) `-Z -L' wL@RONAksFC
Hacker ndNBR
o z{biHj 61000-65095 fMLz|zO_]NCbLhM]{|FiMH{NiFC
o (|) getsockname }MbLhMzNz{iHXAsuuaC
o (|) bind-to-foreign-address }MP|@QobLhHzNzcQC
4.1. RTuQn]wT
SMo]OjhBCpGz PPP oA IP (pGzFMzOF)Mz\uQiDzDz]M_p PPP D@C
# Load the NAT module (this pulls in all the others).
modprobe iptable_nat
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
RzoS]LoRpnM Packet Filtering HOWTORN NAT M]LoX_NOFC
4.2. ipmasqadm FS
oMwMHOVeDCziH iptables -t nat port forwarding @CpMb Linux 2.2 z\wgoFR
# Linux 2.2
# Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80
ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80
{bMphiR
# Linux 2.4
# Append a rule pre-routing (-A PREROUTING) to the NAT table (-t nat) that
# TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080)
# have their destination mapped (-j DNAT) to 192.168.1.1, port 80
# (--to 192.168.1.1:80).
iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 \
-j DNAT --to 192.168.1.1:80
pzQoWhPsu(pMYb NAT DMns 1.2.3.4 8080 f telnet suM|zs 192.168.1.1 80
f)MzNiHJPWh OUTPUT (uAX])R
# Linux 2.4
iptables -A OUTPUT -t nat -p tcp -d 1.2.3.4 --dport 8080 \
-j DNAT --to 192.168.1.1:80
5. n NAT
zn@ NAT WhMiDsunMPphCnoIMn@D`h iptables uMPw `-t nat' iDh NAT C
NAT WhtTCs`chains' RC@WhdM@CTNs PREROUTING ( Destination NAT
M]]OJ)NPOSTROUTING ( Source NAT M]]O})NH OUTPUT ( Destination NAT
MO])C
pNMUNTXWC
_____ _____
/ \ / \
PREROUTING -->[Routing ]----------------->POSTROUTING----->
\D-NAT/ [Decision] \S-NAT/
| ^
| __|__
| / \
| | OUTPUT|
| \D-NAT/
| ^
| |
--------> Local Process ------
ezC@IM@]qLndsuMpGO@ssuMdb NAT M@CoNsuN]C
5.1. iptables
iptables pC\hCaOiHYgMun iptables iNPi}NCpGzH iptables MzNnJ
ip_tables.o R `insmod ip_tables'C
oMn@OR `-t' C NAT @Mz|Q `-t nat' NAT CGnOH `-A' W[@sWh (pR`-A
POSTROUTING')MH `-I' Je(pR`-I PREROUTING')C
ziHwzn NAT ]a} (`-s' `--source') Pa (`-d' or `--destination')CoiH@@
IP a} (pR192.168.1.1)M@W (pR www.gnumonks.org)M@a} (pR192.168.1.0/24
192.168.1.0/255.255.255.0)C
z]iHwnJ (`-i' `--in-interface') MX (`-o' or `--out-interface')
M@iHwhMznNWhgJ@hR PREROUTING MziHJM POSTROUTING (H OUTPUT)MziHXCpGzpFM
iptables N|z@ C
5.2. D] mangle `
ewgLMziHwMaa}CpGza}MNxCpGzaa}Mhxaa}C
ziHw@Sww (`-p' or `--protocol')OMp TCP UDPRuow] XWhCDn]OMw tcp udp
wiH\hRO `--source-port' P `--destination-port' (Yg `--sport' P
`--dport' )C
oiHzwuSwMaf] XWhCobzn web D (TCP port 80 8080) SvT]MNnFC
ob `-p' (o|bwJ@w@)CziHfXMOb /etc/services WC
oz]P MCboI manual page F(man iptables)C
6. n Mangle ]
{bMDphDn mangle ]CFnWhMnTL iDM On]C
6.1. Source NAT
zQn Source NATMOnhNsua}OCoNnbneXheM POSTROUTING FQoO@D`n`M]Nb Linux
DWF (routing, packet filtering) uS]CPMo]NOM`-o' (X) iHWFC
Source NAT O `-j SNAT' wMPM `--to source' hw@ IP a}N@q IP
a}NH@itf@qf(A UDP M TCP w)C
## Change source addresses to 1.2.3.4.
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4
## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6
## Change source addresses to 1.2.3.4, ports 1-1023
# iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023
6.1.1. ] (Masquerading)
@ Source NAT SMs]RuAt IP a}Mp(pGRA IP a}Mhez SNAT)C
zLTaN masquerading ia}hRN|]X@a}CnOMpGs(link)_Msu (connectionsMLiKN)
]|QMsus IP a}^N|DFC
## Masquerade everything out ppp0.
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
6.2. Destination NAT
@]iJM| PREROUTING BzQ]NOMFDvF(pRN]Lo) N]ne `u' aCt M `-i' (J) ]iHboC
n]aM OUTPUT NiHWFMLo`IC
Destination NAT H `-j DNAT' wMP `--to destination' w@ IP a}N@q IP
a}MHiHt@f@qf(u UDP M TCP wW)C
## Change destination addresses to 5.6.7.8
# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8
## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8-5.6.7.10
## Change destination addresses of web traffic to 5.6.7.8, port 8080.
# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 \
-j DNAT --to 5.6.7.8:8080
## Redirect local packets to 1.2.3.4 to loopback.
# iptables -t nat -A OUTPUT -d 1.2.3.4 -j DNAT --to 127.0.0.1
6.2.1. V (Redirection)
b Destination NAT @SORO@KQMPJa} DNAT @C
## Send incoming port-80 web traffic to our squid (transparent) proxy
# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
-j REDIRECT --to-port 3128
6.3. i@BM(Mappings)
\h NAT WMOjhHLCoMBQ@UR
6.3.1. P@dXa}(Multiple Addresses)C
pGzwgwF@q IP a}M IP a}Osue IPCiHlt(load-balancing)C
6.3.2. NAT M
ziH `-j ACCEPT' @suqLML NAT BzC
6.3.3. NAT (Behaviour)
w]ObwWhMisuCMDownM(remap)fC
6.3.4. fM
pGsuwgQMssuMN@L NAT suMfOsbC]@]MowgD`MFR
1. @su@x 192.1.1.1 q port 1024 Mnswww.netscape.com port 80C
2. Q]DHv IP a}(1.2.3.4)iC
3. ]D 1.2.3.4 ( a}) port 1024 @suwww.netscape.com port 80C
4. M NAT {Gsuf 1025MHosu(clash)C
oMsbMfQTR
o 512 HUf
o 512 1023 f
o 1024 HWf
@f|QMPhC
6.3.5. NAT |S
pGSkpnDW@LGaMsuMsuN|QC@]wsuMG]@M]iOMOOFMpC
6.3.6. XMN|NM(clash)
ziH]w NAT WhbP@dWM]QNAT {HohKCMWhN 192.168.1.1 M 192.168.1.2 oa}OM
1.2.3.4MOiC
AMziHMuNw IP a}Munoa}qLoMDNCHMpGzo@(1.2.3.0/24)M@oa}Mt@pa}
192.168.1.0/24 MzNiH NAT 192.168.1.0/24 a} 1.2.3.0 WMLR
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \
-j SNAT --to 1.2.3.0/24
oPA NAT Dva}RoNO]pu@F(]a}MD] `u' a}C )
MziHMP]\hP(targets)WhMBO@CpMpGzQMF 1.2.3.5 WhMziHoR
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \
-j SNAT --to 1.2.3.0-1.2.3.4 --to 1.2.3.6-1.2.3.254
6.3.7. sua
pG]aF(pM OUTPUT )Mo|P]PeXhMoa}]C|lM@j(loopback)]a eth0 eXM|a}]
127.0.0.1 eth0 a}Qa}MMoOYCMMoMb^]iJOALC
7. Sw
wOQn NAT CC@owM]w(extension)OngMG@OwsulMt@ NATC
b netfilter oMM@ ftp {Rip_conntrack_ftp.o P ip_nat_ftp.o
CpGzoJz(z[s)Mnb ftp suW NAT OiCpGzoMziHQ ftpMLpGzn@@ Source NAT
MoNiiaFC
8. NAT @ (caveats)
pGb@suW NATM V (XMJ) ]MnqL NAT D M_hiaCbsul{H
(fragments)M]NOMsul|iMBz]NqLM]H|QUC
9. Source NAT P
pGzn SNATMz|QnTwgL SNAT ]D|N^e^ NAT DCpMpGzMYX]a} 1.2.3.4 WM NDnN^](a
1.2.3.4 )e^DCoiHpUkR
1. pGznbDva}(MB@`)W SNATMzL@C
2. pGznb@bW|a} SNAT(pMMb 1.2.3.0/24 W@i IP 1.2.3.99)Mz NAT DNn^a} ARP
DM@pv@RkNO IP aliasMpR
# ip address add 1.2.3.99 dev eth0
3. pGznb@Pa}W SNATMzNnTw SNAT ]F^ NAT DCpG NAT
DOw]hDMOiHM_hMzNnsi(advertize )@(pG]w)MOubC@xPWWC
10. bP@W Destination NAT
pGzn portforwarding ^P@MznTweVM^]gL NAT D(o Q)CNAT
{q{b}l(2.4.0-test6H)M|X ICMP VRwg NAT ]HiJPXMA^({i^)C
gOHsz `(public)' AMWOqa}(1.2.3.4) DNAT @(192.168.1.1)hMNoR
# iptables -t nat -A PREROUTING -d 1.2.3.4 \
-p tcp --dport 80 -j DNAT --to 192.168.1.1
@kO]@x DNS AMDzu() IP a}MND DNS ACMzAO|Ta IP a}C
t@kOPox NAT DNsu IP a}Mva}MiHpU(] NAT D IP a} 192.168.1.250)R
# iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \
-p tcp --dport 80 -j SNAT --to 192.168.1.250
] PREROUTING WhOMAM]NwgQwVnFRiHwn IP a}C
11. P
Pbu@H netfilter cQ WatchGuard M David BonnC
HL NAT BMOLOC
Rusty.