Tuesday, November 3, 2009

Linux Securirty Notes 15: IPTables 7: NAT

IPTables NAT
    Network Address Translation is the feature that makes Linux based firewall mostly in use. NAT is commonly used to masquerade the IP address

    The NAT table contains 3 chains
    The DNAT is defined in the PREROUTING chain. Using this we will make available of our internal service to external (Internet).i.e, from internet to lan (changes the packets before it routes to lan)
    This is responsible for MASQUERADE (dynamic SNAT) & SNAT. When packet needs to leave from one subnet(internel) through the linux firewall to another it traverse through POSTROUTING chain. (Changes the packet after it leaves the route from lan). eg:- MASQUERADE option is used in certain cases like, if ISP provides the DHCP address and the internel LAN needs to brows, then we have to masquerade all the request from the lan to the DHCP address provided by isp
    Locally sourced/generated packets are subjected to NAT. Eg:- If the firewall has more than one IP address using this chain we can re-write the packets going out from this linux machine to a single IP.

    3 types of NATing is used.
  • masquerade
  • snat
  • dnat
        This feature of NAT is used to dynamically masquerade all the internal address to the external IP

The following example will masquerade all the outgoing traffic to the externel bound IP of the firewall.

# iptables -t nat -A POSTROUTING -j MASQUERADE

Another example that masquerades all the traffic from network

# iptables -t nat -A POSTROUTING -j MASQUERADE -s

    This will masquerade all the request from the subnet to the external ip of the firewall.
Test by enabling logging for nat and check the log file.

Masquerading Port:

#iptables -A POSTROUTING -t nat -p tcp -j MASQUERADE --to-ports 1024-10240

    This will masquerade all the ports to the range from 1024 to 10240. So when a external client makes connection to the internal server (for eg:- # telnet 22) then the port allocated to the client will be in between 1024 to 10240. As a result the internal system will be only able to source the port in range of 1024 to 10240.


        This feature of NAT is used to masquerade a particular internal ip adress to a given external address. Though SNAT and masquerading perform the same fundamental function, mapping one address space into another one, the details differ slightly. Most noticeably, masquerading chooses the source IP address for the outbound packet from the IP bound to the interface through which the packet will exit. i.e, SNAT permits 1-to-1 and/or 1-to-many mappings. It is used when we have a static public IP address.

This example will masquerade all the outgoing traffic from the subnet 10.0.0./8 to the ip

# iptables -t nat -A POSTROUTING -s -j SNAT --to-source


# iptables -t nat -A POSTROUTING -j SNAT -s --to-source

SNAT using multiple address:

# iptables -A POSTROUTING -p tcp -s  -j SNAT --to-source
# iptables -A POSTROUTING -p tcp -s -j SNAT --to-source

    The first rule will nat all the traffic from source to, and second rule states that all other traffic from the subnet should be NATed to
Test the functionality by enabling the LOG and use # netstat -ant

    This feature of NAT is used to translate the packet coming to a perticular destination.Destination NAT with netfilter is commonly used to publish or make available of a internal network service to a publicly accessible IP. The connection tracking mechanism of netfilter will ensure that subsequent packets exchanged in either direction (which can be identified as part of the existing DNAT connection) are also transformed.

In this following example, all packets arriving on the router with a destination of will depart from the router with a destination of

# iptables -t nat -A PREROUTING -d -j DNAT --to-destination

 Make the internal mail server available for external access.

# iptables -A PREROUTING -t nat -d mail.domain.com -p tcp --dport 25 -j DNAT --to-destination
# iptables -A PREROUTING -t nat -d mail.domain.com -p tcp --dport 110 -j DNAT --to-destination

    Here if any request comes to the ip of mail.domain.com with the destination port of 25 or 110, then IPTables will redirect (nat) to the internel address of

Netmap TAGRGET in NAT:

    It is implemented in NAT table PREROUTING Chain. This is used to translate the one to one address from one subnet to another subnet.
For Eg:-
Consider we have one subnet and we need to translate all the ip in this subnet equalent to

# iptables -A PREROUTING -t nat -s -j NETMAP --to

    This will convert/rewrite all the packets coming from the subnet to
i.e, the request from the ip will be masked as

No comments:

Post a Comment

tag ur valuable ideas below