Earlier to this we have talked ’bout iptables filtering, a simple firewall and filtering rules to secure your Linux box. To understand IPtables a little more then just blocking and filtering, we are going to talk ’bout Network Address Translation.
NAT, Network Address translation basically is of two types SNAT and DNAT.
SNAT, Source NAT is when you alter the source address of the first packet: i.e. you are changing where the connection is coming from. Source NAT is always done post-routing, just before the packet goes out onto the wire. Masquerading is a specialized form of SNAT.
DNAT, Destination NAT is when you alter the destination address of the first packet: i.e. you are changing where the connection is going to. Destination NAT is always done before routing, when the packet first comes off the wire. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.
Let’s get down straight to the MASQUERADING or SNAT, with a scenario like you have a dial up connection and you shared your connection to your private network, you wanted to tell your box that all packets coming from your internal network should be made to look like they are coming from the PPP dialup box, do the following steps :
- Load the NAT mudule
modprobe iptables_nat - iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
- Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Let’s do the same for static ip connections also, assuming external internet card is eth0, and external IP is 1.2.3.43 and the internal network card is eth1, then:
- modprobe iptables_MASQUERADE
- iptables -t nat -A POSTROUTING -o eth0 -j SNAT – -to 1.2.3.4
- echo 1 > /proc/sys/net/ipv4/ip_forward
Once you have done with this masquerading, you would sure like to secure it let’s do it. Only allow masquerading from the internal network – you don’t want to allow people on the internet to use it, First, allow any existing connections, or anything related
- iptables -I INPUT -m state – -state ESTABLISHED, RELATED -j ACCEPT
Then allow new connections only from our intranet (local/internal network). Replace the ppp0 with eth0 or whatever your external device is.
- iptables -I INPUT -m state – -state NEW -i ! eth0 -j ACCEPT
Now stay safe by default by deny everything else:
- iptables -P INPUT -j DROP
If either of the first two rules failed, then this last rule with prevent the masquerading from working at all. To undo this rule do “iptables -P INPUT ACCEPT“.
Further port mapping could also be done using SNAT, for example :Change source addresses to 1.2.3.4, ports 1-1023
- iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT – -to 1.2.3.4:1-1023
option “- -to” specifies an IP address , a range of ip address and an optional port or range of ports (for UDP and TCP protocols only).
DNAT, Destination NAT is specified using `-j DNAT’, and the `–to-destination’ option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).
- Change destination addresses to 5.6.7.8
iptables -t nat -A PREROUTING -i eth0 -j DNAT – -to 5.6.7.8 - Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
iptables -t nat -A PREROUTING -i eth0 -j DNAT – -to 5.6.7.8-5.6.7.10 - Change destination addresses of web traffic to 5.6.7.8, port 8080.
iptables -t nat -A PREROUTING -p tcp – -dport 80 -i eth0 -j DNAT – -to 5.6.7.8:8080
Like In case of transparent proxy, This is a specialized case of Destination NAT called redirection : it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface.
- iptables -t nat -A PREROUTING -i eth1 -p tcp – -dport 80 -j REDIRECT – -to-port 3128
How ever this rule alone will not serve your need of transparent proxy for that you need to configure your squid also.
There are one more common use of DNAT, Listed here with a small descriptions.
- Load sharing : If a range of IP addresses is given, the IP address to use is chosen based on the least currently used IP for connections the machine knows about. This gives primitive load-balancing.
