Professional Documents
Culture Documents
4 NAT HOWTO
Rusty Russell, mailing list netfilterlists.samba.org $Revision: 487 $ $Date: 2002-01-14 10:35:13
+0100 (Mon, 14 Jan 2002) $
This do ument des ribes how to do masquerading, transparent proxying, port forwarding, and other forms of
Contents
1 Introdu
tion 2
2 Where is the o
ial Web Site and List? 2
2.1 What is Network Address Translation? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2 Why Would I Want To Do NAT? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1 Introdu
tion
Wel
ome, gentle reader.
You are about to delve into the fas
inating (and sometimes horrid) world of NAT: Network Address Trans-
lation, and this HOWTO is going to be your somewhat a
urate guide to the 2.4 Linux Kernel and beyond.
In Linux 2.4, an infrastru
ture for mangling pa
kets was introdu
ed,
alled `netlter'. A layer on top of this
provides NAT,
ompletely reimplemented from previous kernels.
(C) 2000 Paul `Rusty' Russell. Li
ensed under the GNU GPL.
Normally, pa
kets on a network travel from their sour
e (su
h as your home
omputer) to their destination
(su
h as www.gnumonks.org) through many dierent links: about 19 from where I am in Australia. None
of these links really alter your pa
ket: they just send it onward.
3. The Two Types of NAT 3
If one of these links were to do NAT, then they would alter the sour
e or destinations of the pa
ket as it
passes through. As you
an imagine, this is not how the system was designed to work, and hen
e NAT
is always something of a
ro
k. Usually the link doing NAT will remember how it mangled a pa
ket, and
when a reply pa
ket passes through the other way, it will do the reverse mangling on that reply pa
ket, so
everything works.
Multiple Servers
Sometimes you want to
hange where pa
kets heading into your network will go. Frequently this is
be
ause (as above), you have only one IP address, but you want people to be able to get into the boxes
behind the one with the `real' IP address. If you rewrite the destination of in
oming pa
kets, you
an
manage this. This type of NAT was
alled port-forwarding under previous versions of Linux.
A
ommon variation of this is load-sharing, where the mapping ranges over a set of ma
hines, fanning
pa
kets out to them. If you're doing this on a serious s
ale, you may want to look at
Linux Virtual Server http://linuxvirtualserver.org/ .
Transparent Proxying
Sometimes you want to pretend that ea
h pa
ket whi
h passes through your Linux box is destined for
a program on the Linux box itself. This is used to make transparent proxies: a proxy is a program
whi
h stands between your network and the outside world, shuing
ommuni
ation between the two.
The transparent part is be
ause your network won't even know it's talking to a proxy, unless of
ourse,
the proxy doesn't work.
Squid
an be
ongured to work this way, and it is
alled redire
tion or transparent proxying under
previous Linux versions.
Destination NAT is when you alter the destination address of the rst pa
ket: i.e. you are
hanging where
the
onne
tion is going to. Destination NAT is always done before routing, when the pa
ket rst
omes o
the wire. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.
• Setting the masquerading timeouts with ip
hains -M -S, or ipfwadm -M -s does nothing. Sin
e the
timeouts are longer for the new NAT infrastru
ture, this should not matter.
• The init_seq, delta and previous_delta elds in the verbose masquerade listing are always zero.
• Zeroing and listing the
ounters at the same time `-Z -L' does not work any more: the
ounters will
not be zeroed.
• The ba
kward
ompatibility layer doesn't s
ale very well for large numbers of
onne
tions: don't use
it for your
orporate gateway!
• You
an now bind to ports 61000-65095 even if you're masquerading. The masquerading
ode used to
assume anything in this range was fair game, so programs
ouldn't use it.
• The (undo
umented) `getso
kname' ha
k, whi
h transparent proxy programs
ould use to nd out the
real destinations of
onne
tions no longer works.
• The (undo
umented) bind-to-foreign-address ha
k is also not implemented; this was used to
omplete
the illusion of transparent proxying.
This is what most people want. If you have a dynami
ally allo
ated IP PPP dialup (if you don't know, this
is you), you simply want to tell your box that all pa
kets
oming from your internal network should be made
to look like they are
oming from the PPP dialup box.
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all pa
kets going out ppp0 (-o ppp0) whi
h says to
5. Controlling What To NAT 5
# Turn on IP forwarding
e
ho 1 > /pro
/sys/net/ipv4/ip_forward
Note that you are not doing any pa
ket ltering here: for that, see the Pa
ket Filtering HOWTO: `Mixing
NAT and Pa
ket Filtering'.
This is a mu
h more ni
he user base, so I didn't worry about ba
kward
ompatibility as mu
h. You
an
simply use `iptables -t nat' to do port forwarding. So for example, in Linux 2.2 you might have done:
# Linux 2.2
# Forward TCP pa
kets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80
ipmasqadm portfw -a -P t
p -L 1.2.3.4 8080 -R 192.168.1.1 80
# Linux 2.4
# Append a rule before routing (-A PREROUTING) to the NAT table (-t nat) that
# TCP pa
kets (-p t
p) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080)
# have their destination mapped (-j DNAT) to 192.168.1.1, port 80
# (--to 192.168.1.1:80).
iptables -A PREROUTING -t nat -p t
p -d 1.2.3.4 --dport 8080 \
-j DNAT --to 192.168.1.1:80
_____ _____
/ \ / \
PREROUTING -->[Routing ℄----------------->POSTROUTING----->
\D-NAT/ [De
ision℄ \S-NAT/
| ^
| |
| |
| |
5. Controlling What To NAT 6
| |
| |
| |
--------> Lo
al Pro
ess ------
At ea
h of the points above, when a pa
ket passes we look up what
onne
tion it is asso
iated with. If it's a
new
onne
tion, we look up the
orresponding
hain in the NAT table to see what to do with it. The answer
it gives will apply to all future pa
kets on that
onne
tion.
iptables takes a number of standard options as listed below. All the double-dash options
an be abbreviated,
as long as iptables
an still tell them apart from the other possible options. If your kernel has iptables
support as a module, you'll need to load the ip_tables.o module rst: `insmod ip_tables'.
The most important option here is the table sele
tion option, `-t'. For all NAT operations, you will want to
use `-t nat' for the NAT table. The se
ond most important option to use is `-A' to append a new rule at the
end of the
hain (e.g. `-A POSTROUTING'), or `-I' to insert one at the beginning (e.g. `-I PREROUTING').
You
an spe
ify the sour
e (`-s' or `sour
e') and destination (`-d' or `destination') of the pa
kets you
want to NAT. These options
an be followed by a single IP address (e.g. 192.168.1.1), a name (e.g.
www.gnumonks.org), or a network address (e.g. 192.168.1.0/24 or 192.168.1.0/255.255.255.0).
You
an spe
ify the in
oming (`-i' or `in-interfa
e') or outgoing (`-o' or `out-interfa
e') interfa
e to mat
h,
but whi
h you
an spe
ify depends on whi
h
hain you are putting the rule into: at PREROUTING you
an
only sele
t in
oming interfa
e, and at POSTROUTING you
an only sele
t outgoing interfa
e. If you use
the wrong one, iptables will give an error.
I said above that you
an spe
ify a sour
e and destination address. If you omit the sour
e address option,
then any sour
e address will do. If you omit the destination address option, then any destination address
will do.
You
an also indi
ate a spe
i
proto
ol (`-p' or `proto
ol'), su
h as TCP or UDP; only pa
kets of this
proto
ol will mat
h the rule. The main reason for doing this is that spe
ifying a proto
ol of t
p or udp then
allows extra options: spe
i
ally the `sour
e-port' and `destination-port' options (abbreviated as `sport'
and `dport').
These options allow you to spe
ify that only pa
kets with a
ertain sour
e and destination port will mat
h
the rule. This is useful for redire
ting web requests (TCP port 80 or 8080) and leaving other pa
kets alone.
These options must follow the `-p' option (whi
h has a side-ee
t of loading the shared library extension for
that proto
ol). You
an use port numbers, or a name from the /et
/servi
es le.
All the dierent qualities you
an sele
t a pa
ket by are detailed in painful detail in the manual page (man
iptables).
6. Saying How To Mangle The Pa
kets 7
You want to do Sour
e NAT;
hange the sour
e address of
onne
tions to something dierent. This is done
in the POSTROUTING
hain, just before it is nally sent out; this is an important detail, sin
e it means
that anything else on the Linux box itself (routing, pa
ket ltering) will see the pa
ket un
hanged. It also
means that the `-o' (outgoing interfa
e) option
an be used.
Sour
e NAT is spe
ied using `-j SNAT', and the `to-sour
e' option spe
ies an IP address, a range of IP
addresses, and an optional port or range of ports (for UDP and TCP proto
ols only).
6.1.1 Masquerading
There is a spe
ialized
ase of Sour
e NAT
alled masquerading: it should only be used for dynami
ally-
assigned IP addresses, su
h as standard dialups (for stati
IP addresses, use SNAT above).
You don't need to put in the sour
e address expli
itly with masquerading: it will use the sour
e address of
the interfa
e the pa
ket is going out from. But more importantly, if the link goes down, the
onne
tions
(whi
h are now lost anyway) are forgotten, meaning fewer glit
hes when
onne
tion
omes ba
k up with a
new IP address.
This is done in the PREROUTING
hain, just as the pa
ket
omes in; this means that anything else on the
Linux box itself (routing, pa
ket ltering) will see the pa
ket going to its `real' destination. It also means
that the `-i' (in
oming interfa
e) option
an be used.
Destination NAT is spe
ied using `-j DNAT', and the `to-destination' option spe
ies an IP address, a
range of IP addresses, and an optional port or range of ports (for UDP and TCP proto
ols only).
There are some subtleties to NAT whi
h most people will never have to deal with. They are do
umented
here for the
urious.
1. A web onne tion is established by a box 192.1.1.1 from port 1024 to www.nets ape. om port 80.
2. This is masqueraded by the masquerading box to use its sour
e IP address (1.2.3.4).
6. Saying How To Mangle The Pa
kets 9
3. The masquerading box tries to make a web
onne
tion to www.nets
ape.
om port 80 from 1.2.3.4 (its
external interfa
e address) port 1024.
4. The NAT
ode will alter the sour
e port of the se
ond
onne
tion to 1025, so that the two don't
lash.
When this impli it sour e mapping o urs, ports are divided into three lasses:
The same logi
applies to addresses used by the NAT box itself: this is how masquerading works (by sharing
the interfa
e address between masqueraded pa
kets and `real' pa
kets
oming from the box itself).
Moreover, you
an map the same pa
kets onto many dierent targets, and they will be shared. For example,
if you don't want to map anything over 1.2.3.5, you
ould do:
8 Caveats on NAT
If you are doing NAT on a
onne
tion, all pa
kets passing both
ways (in and out of the network) must
pass through the NAT'ed box, otherwise it won't work reliably. In parti
ular, the
onne
tion tra
king
ode
reassembles fragments, whi
h means that not only will
onne
tion tra
king not be reliable, but your pa
kets
may not get through at all, as fragments will be withheld.
1. If you are doing SNAT onto the box's own address (for whi
h routing and everything already works),
you don't need to do anything.
2. If you are doing SNAT onto an unused address on the lo
al LAN (for example, you're mapping onto
1.2.3.99, a free IP on your 1.2.3.0/24 network), your NAT box will need to respond to ARP requests
for that address as well as its own: the easiest way to do this is
reate an IP alias, e.g.:
3. If you are doing SNAT onto a
ompletely dierent address, you will have to ensure that the ma
hines
the SNAT pa
kets will hit will route this address ba
k to the NAT box. This is already a
hieved if the
NAT box is their default gateway, otherwise you will need to advertise a route (if running a routing
proto
ol) or manually add routes to ea
h ma
hine involved.
The
lassi
ase is that internal sta try to a
ess your `publi
' web server, whi
h is a
tually DNAT'ed from
the publi
address (1.2.3.4) to an internal ma
hine (192.168.1.1), like so:
One way is to run an internal DNS server whi
h knows the real (internal) IP address of your publi
web site,
and forward all other requests to an external DNS server. This means that the logging on your web server
will show the internal IP addresses
orre
tly.
The other way is to have the NAT box also map the sour
e IP address to its own for these
onne
tions,
fooling the server into replying through it. In this example, we would do the following (assuming the internal
IP address of the NAT box is 192.168.1.250):
Be
ause the PREROUTING rule gets run rst, the pa
kets will already be destined for the internal web
server: we
an tell whi
h ones are internally sour
ed by the sour
e IP addresses.
11 Thanks
Thanks rst to Wat
hGuard, and David Bonn, who believed in the netlter idea enough to support me while
I worked on it.
And to everyone else who put up with my ranting as I learnt about the ugliness of NAT, espe
ially those
who read my diary.
Rusty.