Linux 2.4 NAT HOWTO @RRusty Russell, mailing list netfilter@lists.samba.org RH netmanforever@yahoo.com v1.0.1 Mon May 1 18:38:22 CST 2000 yzp 2.4 Linux h masqueradingNtransparent proxyingNport forwardingNM Network Address Translations C ______________________________________________________________________ Table of Contents 1. Introduction 2. xMqHBVS 2.1 Network Address Translation? 2.2 n NAT OS 3. NAT 4. q 2.0 2.2 t 4.1 RTuQn]wT 4.2 ipmasqadm FS 5. n NAT 5.1 iptables 5.2 D] mangle ` 6. n Mangle ] 6.1 Source NAT 6.1.1 ] (Masquerading) 6.2 Destination NAT 6.2.1 V (Redirection) 6.3 i@BM(Mappings) 6.3.1 P@dXa}(Multiple Addresses)C 6.3.2 NAT M 6.3.3 NAT (Behaviour) 6.3.4 fM 6.3.5 NAT |S 6.3.6 XMN|NM(clash) 6.3.7 sua 7. Sw 8. NAT @ (caveats) 9. Source NAT P 10. bP@W Destination NAT 11. P ______________________________________________________________________ 1. Introduction RMwzT zNnOHJ(Z) NAT(Network Address Translation) @MPMziHo HOWTO Linux 2.4 HTnOC b Linux 2.4 M@s `netfilter' FFMOM (mangling* )]CbAW@hMNO NAT \FMhOH@C (R_M@ mangle o@MGbLSILMdLnhrDnCojjoNMLNoFMvhzaC) 2. xMqHBVS eTxisR o P Filewatcher (http://netfilter.filewatcher.org) . o P The Samba Team and SGI (http://www.samba.org/netfilter) . o P Harald WeltE (http://netfilter.gnumonks.org) . x netfilter lMhiHoR Netfilter List . 2.1. Network Address Translation? @MbW]q(zaq)XhMMFa(www.gnumonks.org)M|gL\\hhPs(links)RNbDwNj 19 hCS@s|uhz]RLONeXhwC p@s| NAT MMN|gL]aa}CpzQoMoDtQ]poMO NAT }wCq`n NAT su|Op mangled ]MM^]qt@VLMMNL mangling ^]MHFu@_FC 2.2. n NAT OS b@MzLoCbeMOzR modem W jh ISP bzsWhu|z@@ IP a}CzwMHa}]eXhMu^oa}] iH^zCpGzQhxPD(pa)zLsW internet MzNn NAT FC o]NO NAT `BMb Linux @HNO `masquerading(]N)' FC SNATM]zF@] source() a}tGC hA Mz|QhiJz]VCo`O](pWz)zu@ IP a}MzoQOHs `u' IP a}DhCpGzgoe]a}MozNiHzFC @`Ot(load-sharing)M]NOb@W]M(mapping)@Co NAT MbHe Linux ]NQ port- forwarding C zNz(Transparent Proxying) Mz\QnC@gLz Linux D]eD@{hCoNnizNz@FR@NzNO@zM {Mt_qCzMhO]zLDbM@NzMMFMDNzAu@FaC Squid iHtmou@MoNObL Linux V(redirection)NzNzFC 3. NAT N NAT PR Source NAT (SNAT) P Destination NAT (DNAT) Source NAT NOzN@]a}RpMzJsu caching @CSource NAT |b]XueNn post-routing @C](Masquerading)NO@ SNAT SC Destination NAT NOzN@]aa}RpznXsu caching @CDestination NAT |b]quiJNWn pre-routing @CPort forwardingNtNHzNzM DNATC 4. q 2.0 2.2 t D`pMpzMq 2.0(ipfwadm) 2.2(ipchains) CLMo]O bC MziH@pa ipchains M ipfwadmCnoMznNs netfilter M `ipchains.o' `ipfwadm.o' JCO(zwiF)MP]M netfilter PXb@_C @@QJMzNiHp` ipchains M ipfwadm FM]pU@R o ipchains -M -SMO ipfwadm -M -s @ONAC]O]wwgs NAT cMHo]NSFC o bC ini_seqNdelteNM previous_delta MNsC o Pks(zeroing)MCO(counter) `-Z -L' wL@RONAksFC Hacker ndNBR o z{biHj 61000-65095 fMLz|zO_]NCbLhM]{|FiMH{NiFC o (|) getsockname }MbLhMzNz{iHXAsuuaC o (|) bind-to-foreign-address }MP|@QobLhHzNzcQC 4.1. RTuQn]wT SMo]OjhBCpGz PPP oA IP (pGzFMzOF)Mz\uQiDzDz]M_p PPP D@C # Load the NAT module (this pulls in all the others). modprobe iptable_nat # In the NAT table (-t nat), Append a rule (-A) after routing # (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to # MASQUERADE the connection (-j MASQUERADE). iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward RzoS]LoRpnM Packet Filtering HOWTORN NAT M]LoX_NOFC 4.2. ipmasqadm FS oMwMHOVeDCziH iptables -t nat port forwarding @CpMb Linux 2.2 z\wgoFR # Linux 2.2 # Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80 ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80 {bMphiR # Linux 2.4 # Append a rule pre-routing (-A PREROUTING) to the NAT table (-t nat) that # TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080) # have their destination mapped (-j DNAT) to 192.168.1.1, port 80 # (--to 192.168.1.1:80). iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 \ -j DNAT --to 192.168.1.1:80 pzQoWhPsu(pMYb NAT DMns 1.2.3.4 8080 f telnet suM|zs 192.168.1.1 80 f)MzNiHJPWh OUTPUT (uAX])R # Linux 2.4 iptables -A OUTPUT -t nat -p tcp -d 1.2.3.4 --dport 8080 \ -j DNAT --to 192.168.1.1:80 5. n NAT zn@ NAT WhMiDsunMPphCnoIMn@D`h iptables uMPw `-t nat' iDh NAT C NAT WhtTCs`chains' RC@WhdM@CTNs PREROUTING ( Destination NAT M]]OJ)NPOSTROUTING ( Source NAT M]]O})NH OUTPUT ( Destination NAT MO])C pNMUNTXWC _____ _____ / \ / \ PREROUTING -->[Routing ]----------------->POSTROUTING-----> \D-NAT/ [Decision] \S-NAT/ | ^ | __|__ | / \ | | OUTPUT| | \D-NAT/ | ^ | | --------> Local Process ------ ezC@IM@]qLndsuMpGO@ssuMdb NAT M@CoNsuN]C 5.1. iptables iptables pC\hCaOiHYgMun iptables iNPi}NCpGzH iptables MzNnJ ip_tables.o R `insmod ip_tables'C oMn@OR `-t' C NAT @Mz|Q `-t nat' NAT CGnOH `-A' W[@sWh (pR`-A POSTROUTING')MH `-I' Je(pR`-I PREROUTING')C ziHwzn NAT ]a} (`-s' `--source') Pa (`-d' or `--destination')CoiH@@ IP a} (pR192.168.1.1)M@W (pR www.gnumonks.org)M@a} (pR192.168.1.0/24 192.168.1.0/255.255.255.0)C z]iHwnJ (`-i' `--in-interface') MX (`-o' or `--out-interface') M@iHwhMznNWhgJ@hR PREROUTING MziHJM POSTROUTING (H OUTPUT)MziHXCpGzpFM iptables N|z@ C 5.2. D] mangle ` ewgLMziHwMaa}CpGza}MNxCpGzaa}Mhxaa}C ziHw@Sww (`-p' or `--protocol')OMp TCP UDPRuow] XWhCDn]OMw tcp udp wiH\hRO `--source-port' P `--destination-port' (Yg `--sport' P `--dport' )C oiHzwuSwMaf] XWhCobzn web D (TCP port 80 8080) SvT]MNnFC ob `-p' (o|bwJ@w@)CziHfXMOb /etc/services WC oz]P MCboI manual page F(man iptables)C 6. n Mangle ] {bMDphDn mangle ]CFnWhMnTL iDM On]C 6.1. Source NAT zQn Source NATMOnhNsua}OCoNnbneXheM POSTROUTING FQoO@D`n`M]Nb Linux DWF (routing, packet filtering) uS]CPMo]NOM`-o' (X) iHWFC Source NAT O `-j SNAT' wMPM `--to source' hw@ IP a}N@q IP a}NH@itf@qf(A UDP M TCP w)C ## Change source addresses to 1.2.3.4. # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4 ## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6 # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6 ## Change source addresses to 1.2.3.4, ports 1-1023 # iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023 6.1.1. ] (Masquerading) @ Source NAT SMs]RuAt IP a}Mp(pGRA IP a}Mhez SNAT)C zLTaN masquerading ia}hRN|]X@a}CnOMpGs(link)_Msu (connectionsMLiKN) ]|QMsus IP a}^N|DFC ## Masquerade everything out ppp0. # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE 6.2. Destination NAT @]iJM| PREROUTING BzQ]NOMFDvF(pRN]Lo) N]ne `u' aCt M `-i' (J) ]iHboC n]aM OUTPUT NiHWFMLo`IC Destination NAT H `-j DNAT' wMP `--to destination' w@ IP a}N@q IP a}MHiHt@f@qf(u UDP M TCP wW)C ## Change destination addresses to 5.6.7.8 # iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8 ## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10. # iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8-5.6.7.10 ## Change destination addresses of web traffic to 5.6.7.8, port 8080. # iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 \ -j DNAT --to 5.6.7.8:8080 ## Redirect local packets to 1.2.3.4 to loopback. # iptables -t nat -A OUTPUT -d 1.2.3.4 -j DNAT --to 127.0.0.1 6.2.1. V (Redirection) b Destination NAT @SORO@KQMPJa} DNAT @C ## Send incoming port-80 web traffic to our squid (transparent) proxy # iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ -j REDIRECT --to-port 3128 6.3. i@BM(Mappings) \h NAT WMOjhHLCoMBQ@UR 6.3.1. P@dXa}(Multiple Addresses)C pGzwgwF@q IP a}M IP a}Osue IPCiHlt(load-balancing)C 6.3.2. NAT M ziH `-j ACCEPT' @suqLML NAT BzC 6.3.3. NAT (Behaviour) w]ObwWhMisuCMDownM(remap)fC 6.3.4. fM pGsuwgQMssuMN@L NAT suMfOsbC]@]MowgD`MFR 1. @su@x 192.1.1.1 q port 1024 Mnswww.netscape.com port 80C 2. Q]DHv IP a}(1.2.3.4)iC 3. ]D 1.2.3.4 ( a}) port 1024 @suwww.netscape.com port 80C 4. M NAT {Gsuf 1025MHosu(clash)C oMsbMfQTR o 512 HUf o 512 1023 f o 1024 HWf @f|QMPhC 6.3.5. NAT |S pGSkpnDW@LGaMsuMsuN|QC@]wsuMG]@M]iOMOOFMpC 6.3.6. XMN|NM(clash) ziH]w NAT WhbP@dWM]QNAT {HohKCMWhN 192.168.1.1 M 192.168.1.2 oa}OM 1.2.3.4MOiC AMziHMuNw IP a}Munoa}qLoMDNCHMpGzo@(1.2.3.0/24)M@oa}Mt@pa} 192.168.1.0/24 MzNiH NAT 192.168.1.0/24 a} 1.2.3.0 WMLR # iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \ -j SNAT --to 1.2.3.0/24 oPA NAT Dva}RoNO]pu@F(]a}MD] `u' a}C ) MziHMP]\hP(targets)WhMBO@CpMpGzQMF 1.2.3.5 WhMziHoR # iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \ -j SNAT --to 1.2.3.0-1.2.3.4 --to 1.2.3.6-1.2.3.254 6.3.7. sua pG]aF(pM OUTPUT )Mo|P]PeXhMoa}]C|lM@j(loopback)]a eth0 eXM|a}] 127.0.0.1 eth0 a}Qa}MMoOYCMMoMb^]iJOALC 7. Sw wOQn NAT CC@owM]w(extension)OngMG@OwsulMt@ NATC b netfilter oMM@ ftp {Rip_conntrack_ftp.o P ip_nat_ftp.o CpGzoJz(z[s)Mnb ftp suW NAT OiCpGzoMziHQ ftpMLpGzn@@ Source NAT MoNiiaFC 8. NAT @ (caveats) pGb@suW NATM V (XMJ) ]MnqL NAT D M_hiaCbsul{H (fragments)M]NOMsul|iMBz]NqLM]H|QUC 9. Source NAT P pGzn SNATMz|QnTwgL SNAT ]D|N^e^ NAT DCpMpGzMYX]a} 1.2.3.4 WM NDnN^](a 1.2.3.4 )e^DCoiHpUkR 1. pGznbDva}(MB@`)W SNATMzL@C 2. pGznb@bW|a} SNAT(pMMb 1.2.3.0/24 W@i IP 1.2.3.99)Mz NAT DNn^a} ARP DM@pv@RkNO IP aliasMpR # ip address add 1.2.3.99 dev eth0 3. pGznb@Pa}W SNATMzNnTw SNAT ]F^ NAT DCpG NAT DOw]hDMOiHM_hMzNnsi(advertize )@(pG]w)MOubC@xPWWC 10. bP@W Destination NAT pGzn portforwarding ^P@MznTweVM^]gL NAT D(o Q)CNAT {q{b}l(2.4.0-test6H)M|X ICMP VRwg NAT ]HiJPXMA^({i^)C gOHsz `(public)' AMWOqa}(1.2.3.4) DNAT @(192.168.1.1)hMNoR # iptables -t nat -A PREROUTING -d 1.2.3.4 \ -p tcp --dport 80 -j DNAT --to 192.168.1.1 @kO]@x DNS AMDzu() IP a}MND DNS ACMzAO|Ta IP a}C t@kOPox NAT DNsu IP a}Mva}MiHpU(] NAT D IP a} 192.168.1.250)R # iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \ -p tcp --dport 80 -j SNAT --to 192.168.1.250 ] PREROUTING WhOMAM]NwgQwVnFRiHwn IP a}C 11. P Pbu@H netfilter cQ WatchGuard M David BonnC HL NAT BMOLOC Rusty.