Network Address Translation is the feature that makes Linux based firewall mostly in use. NAT is commonly used to masquerade the IP address
The NAT table contains 3 chains
The DNAT is defined in the PREROUTING chain. Using this we will make available of our internal service to external (Internet).i.e, from internet to lan (changes the packets before it routes to lan)
This is responsible for MASQUERADE (dynamic SNAT) & SNAT. When packet needs to leave from one subnet(internel) through the linux firewall to another it traverse through POSTROUTING chain. (Changes the packet after it leaves the route from lan). eg:- MASQUERADE option is used in certain cases like, if ISP provides the DHCP address and the internel LAN needs to brows, then we have to masquerade all the request from the lan to the DHCP address provided by isp
Locally sourced/generated packets are subjected to NAT. Eg:- If the firewall has more than one IP address using this chain we can re-write the packets going out from this linux machine to a single IP.
TYPEs in NAT
3 types of NATing is used.
This feature of NAT is used to dynamically masquerade all the internal address to the external IP
The following example will masquerade all the outgoing traffic to the externel bound IP of the firewall.
# iptables -t nat -A POSTROUTING -j MASQUERADEAnother example that masquerades all the traffic from network 10.0.0.0/8
# iptables -t nat -A POSTROUTING -j MASQUERADE -s 10.0.0.0/8This will masquerade all the request from the 10.0.0.0/8 subnet to the external ip of the firewall.
Test by enabling logging for nat and check the log file.
#iptables -A POSTROUTING -t nat -p tcp -j MASQUERADE --to-ports 1024-10240This will masquerade all the ports to the range from 1024 to 10240. So when a external client makes connection to the internal server (for eg:- # telnet
This feature of NAT is used to masquerade a particular internal ip adress to a given external address. Though SNAT and masquerading perform the same fundamental function, mapping one address space into another one, the details differ slightly. Most noticeably, masquerading chooses the source IP address for the outbound packet from the IP bound to the interface through which the packet will exit. i.e, SNAT permits 1-to-1 and/or 1-to-many mappings. It is used when we have a static public IP address.
This example will masquerade all the outgoing traffic from the subnet 10.0.0./8 to the ip 184.108.40.206.
# iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source 220.127.116.11
# iptables -t nat -A POSTROUTING -j SNAT -s 10.0.0.0/8 --to-source 18.104.22.168
SNAT using multiple address:
# iptables -A POSTROUTING -p tcp -s 10.0.0.55 -j SNAT --to-source 192.168.1.100
# iptables -A POSTROUTING -p tcp -s 10.0.0.0/8 -j SNAT --to-source 192.168.1.200
Test the functionality by enabling the LOG and use # netstat -ant
This feature of NAT is used to translate the packet coming to a perticular destination.Destination NAT with netfilter is commonly used to publish or make available of a internal network service to a publicly accessible IP. The connection tracking mechanism of netfilter will ensure that subsequent packets exchanged in either direction (which can be identified as part of the existing DNAT connection) are also transformed.
In this following example, all packets arriving on the router with a destination of 10.10.20.99 will depart from the router with a destination of 10.10.14.2
# iptables -t nat -A PREROUTING -d 10.10.20.99 -j DNAT --to-destination 10.10.14.2Make the internal mail server available for external access.
# iptables -A PREROUTING -t nat -d mail.domain.com -p tcp --dport 25 -j DNAT --to-destination 192.168.1.25
# iptables -A PREROUTING -t nat -d mail.domain.com -p tcp --dport 110 -j DNAT --to-destination 192.168.1.25
Netmap TAGRGET in NAT:
It is implemented in NAT table PREROUTING Chain. This is used to translate the one to one address from one subnet to another subnet.
Consider we have one subnet 10.0.0.0/24. and we need to translate all the ip in this subnet equalent to 192.168.1.0/24
# iptables -A PREROUTING -t nat -s 10.0.0.0/24 -j NETMAP --to 192.168.1.0/24This will convert/rewrite all the packets coming from the subnet 10.0.0.0/24 to 192.168.1.0/24.
i.e, the request from the ip 10.0.0.1 will be masked as 192.168.1.1.