Previous Section
 < Day Day Up > 
Next Section


Network Address Translation (NAT)

Network address translation (NAT) is the process whereby a system will change the destination or source of packets as they pass through the system. A packet will traverse several linked systems on a network before it reaches its final destination. Normally, they will simply pass the packet on. However, if one of these systems performs a NAT on a packet, it can change the source or destination. A packet sent to a particular destination could have its destination address changed. To make this work, the system also needs to remember such changes so that the source and destination for any reply packets are altered back to the original addresses of the packet being replied to.

NAT is often used to provide access to systems that may be connected to the Internet through only one IP address. Such is the case with networking features such as IP masquerading, support for multiple servers, and transparent proxying. With IP masquerading, NAT operations will change the destination and source of a packet moving through a firewall/gateway linking the Internet to computers on a local network. The gateway has a single IP address that the other local computers can use through NAT operations. If you have multiple servers but only one IP address, you can use NAT operations to send packets to the alternate servers. You can also use NAT operations to have your IP address reference a particular server application such as a Web server (transparent proxy).

Adding NAT Rules

Packet selection rules for NAT operations are added to the NAT table managed by the iptables command. To add rules to the NAT table, you have to specify the NAT table with the -t option. Thus to add a rule to the NAT table, you would have to specify the NAT table with the -t nat option as shown here:

iptables -t nat

With the -L option, you can list the rules you have added to the NAT table:

iptables -t nat -L -n

Adding the -n option will list IP addresses and ports in numeric form. This will speed up the listing as iptables will not attempt to do a DNS lookup to determine the hostname for the IP address.

Nat Targets and Chains

In addition, there are two types of NAT operations: source NAT, specified as SNAT target, and destination NAT, specified as DNAT target. SNAT target is used for rules that alter source addresses, and DNAT target for those that alter destination addresses.

Three chains in the NAT table are used by the kernel for NAT operations. These are PREROUTING, POSTROUTING, and OUTPUT. PREROUTING is used for destination NAT (DNAT) rules. These are packets that are arriving. POSTROUTING is used for source NAT (SNAT) rules. These are for packets leaving. OUTPUT is used for destination NAT rules for locally generated packets.

As with packet filtering, you can specify source (-s) and destination (-d) addresses, as well as the input (-i) and output (-o) devices. The -j option will specify a target such as MASQUERADE. You would implement IP masquerading by adding a MASQUERADE rule to the POSTROUTING chain:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To change the source address of a packet leaving your system, you would use the POSTROUTING rule with the SNAT target. For the SNAT target, you use the --to-source option to specify the source address:

# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.4

To change the destination address of packets arriving on your system, you would use the PREROUTING rule with the DNAT target and the --to-destination option:

# iptables -t nat -A PRETROUTING -i eth0 \
             -j DNAT --to-destination 192.168.0.3

Specifying a port lets you change destinations for packets arriving on a particular port. In effect, this lets you implement port forwarding. In the next example, every packet arriving on port 80 (the Web service port) is redirected to 10.0.0.3, which in this case would be a system running a Web server.

  # iptables -t nat -A PRETROUTING -i eth0 -dport 80 \
             -j DNAT --to-destination 10.0.0.3

With the TOS and MARK targets, you can mangle the packet to control its routing or priority. A TOS target sets the type of service for a packet, which can set the priority using criteria such as normal-service, minimize-cost, maximize-throughput, among others.

The targets valid only for the NAT table are shown here:

SNAT

Modify source address, use --to-source option to specify new source address.

DNAT

Modify destination address, use --to-destination option to specify new destination address.

REDIRECT

Redirect a packet.

MASQUERADE

IP masquerading.

MIRROR

Reverse source and destination and send back to sender.

MARK

Modify the Mark field to control message routing.

Nat Redirection: Transparent Proxies

NAT tables can be used to implement any kind of packet redirection, a process transparent to the user. Redirection is communing used to implement a transparent proxy. Redirection of packets is carried out with the REDIRECT target. With transparent proxies, packets received can be automatically redirected to a proxy server. For example, packets arriving on the Web service port, 80, can be redirected to the Squid Proxy service port, usually 3128. This involves a command to redirect an packet, using the REDIRECT target on the PREROUTING chain:

# iptables -t nat -A PREROUTING -i eth1 --dport 80 -j REDIRECT --to-port 3128

Packet Mangling: the Mangle Table

The packet mangling table is used to actually modify packet information. Rules applied specifically to this table are often designed to control the mundane behavior of packets, like routing, connection size, and priority. Rules that actually modify a packet, rather than simply redirecting or stopping it, can be used only in the mangle table. For example, the TOS target can be used directly in the mangle table to change the Type of Service field to modifying a packet's priority. A TCPMSS target could be set to control the size of a connection. The ECN target lets you work around ECN blackholes, and the DSCP target will let you change DSCP bits. Several extensions such as the ROUTE extension will change a packet, in this case, rewriting its destination, rather than just redirecting it.

The mangle table is indicated with the -t mangle option. Use the following command to see what chains are listed in your mangle table:

iptables -t mangle  -L

Several mangle table targets are shown here.

TOS

Modify the Type of Service field to manage the priority of the packet.

TCPMSS

Modify the allowed size of packets for a connection, enabling larger transmissions.

ECN

Remove ECN blackhole information.

DSCP

Change DSCP bits.

ROUTE

Extension TARGET to modify destination information in the packet.

Note 

The iptables package is designed to be extensible, allowing customized targets to be added easily. This involves applying patches to the kernel and rebuilding it. See www.netfilter.org for more details, along with a listing of extended targets.



Previous Section
 < Day Day Up > 
Next Section
This HTML Help has been published using the chm2web software.