Archive for the tag 'NAT'

FORWARD and NAT Rules for nodes behind the firewall/gateway.

iptables provides routing and forwarding policies. The FORWARD policy allows an administrator to control where packets can be routed within a LAN. For example, to allow forwarding for the entire LAN (assuming the firewall/gateway is assigned an internal IP address on eth1), the following rules can be set:

iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT

This rule gives systems behind the firewall/gateway access to the internal network. The gateway routes packets from one LAN node to its intended destination node, passing all packets through its eth1 device.

To enable IP forwarding, run the following command:

sysctl -w net.ipv4.ip_forward=1

You can permanently set forwarding by editing the /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Execute the following command to enable the change to the sysctl.conf file:

sysctl -p /etc/sysctl.conf

To allow LAN nodes with private IP addresses to communicate with external public networks, configure the firewall for IP masquerading, which masks requests from LAN nodes with the IP address of the firewall’s external device (in this case, eth0):

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The rule uses the NAT packet matching table (-t nat) and specifies the built-in POSTROUTING chain for NAT (-A POSTROUTING) on the firewall’s external networking device (-o eth0).

POSTROUTING allows packets to be altered as they are leaving the firewall’s external device. The -j MASQUERADE target is specified to mask the private IP address of a node with the external IP address of the firewall/gateway.

If you wanted to forward incoming HTTP requests to your dedicated Apache HTTP Server server system at 192.168.0.10, run the following command:

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to 192.168.0.10:80

This rule specifies that the NAT table use the built-in PREROUTING chain to forward incoming HTTP requests exclusively to the listed destination IP address of 192.168.0.10

This rule allows forwarding of incoming HTTP requests from the firewall to its intended destination of the Apache HTTP Server server behind the firewall.

iptables -A FORWARD -i eth0 -p tcp –dport 80 -d 192.168.0.10 -j ACCEPT
SBDavid

Network Address Translation

Network Address Translation

PREROUTING

Address translation occurs before routing.

Facilitates the transformation of the destination IP address to be compatible with the firewall’s routing table.
Used with NAT of the destination IP address, also known as destination NAT or DNAT.

POSTROUTING

Address translation occurs after routing.

This implies that there was no need to modify the destination IP address of the packet as in pre-routing. Used with NAT of the source IP address using either one-to-one or many-to-oneNAT. This is known as source NAT, or SNAT.

SBDavid

Simple implementation of NAT

Simple implementation of NAT

Internal network connects to the internet with a dynamic public IP address.

iptables –t nat –A POSTROUTING –i eth0 –o ppp0 –j MASQUERADE

nat:

This table is consulted when a packet that creates a new connection is encountered. It consists of three built-ins: PREROUTING (for altering packets as soon as they come in), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out).