The three chains required by the nat table:
1. PREROUTING: The rules for destination NAT can be defined here, because the router only checks the destination IP address of the data packet when routing, so in order to route the data packet correctly, we must perform destination NAT before routing;
2.POSTROUTING : The rules for source NAT can be defined here, and the system executes the rules in the chain after determining the routing of the data packets.
3.OUTPUT: Define the destination NAT rules for locally generated packets.
Several action options that need to be used : (really capitalized in the environment)
| redirect | Redirecting data packets to a port on another host is usually used to implement transparent proxying and to open certain services on the intranet to the outside world. |
| snat | Source address translation, changing the source address of a packet |
| dnat | Destination address translation, changing the destination address of a packet |
| masquerade | IP masquerading is only applicable to IP masquerading of dynamic dial-up Internet access such as ADSL. If the host IP is statically assigned, use snat |
PRERROUTING:DNAT, REDIRECT (before routing) only support -i, not -o. Modify the destination address before making the route
POSTROUTING: SNAT, MASQUERADE (after routing) only support -o, not -i. After the route is made, the source address is modified
OUTPUT:DNAT, REDIRECT (Native) DNAT and REDIRECT rules are used to process outbound packets from the NAT host itself.
First, open the routing function of the kernel.
To implement nat, change the value in the file /proc/sys/net/ipv4/ip_forward to 1, (the default is 0).
Second, the configuration of different actions of nat
1) MASQUERADE: IP masquerading used when dynamically assigning IP: add a rule to the POSTROUTING chain of the nat table: all packets sent from the ppp0 port will be disguised (MASQUERADE)
| iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE |
To automatically implement nat when the system starts, add at the end of the /etc/rc.d/rc.local file
#echo "1">/proc/sys/net/ipv4/ip_forward
#/sbin/iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
2) SNAT: This is generally used for normal shared Internet access.
The source address of all data packets from eth0 (external network card) is changed to 61.99.28.1 (a network segment is specified here, generally it is not necessary to specify)
| iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to 61.99.28.1 |
3) DNAT: destination nat will be used when doing smart DNS
Smart DNS: No matter what ip the client enters in the dns item, it will be directed to a dnsip specified by the server.
Before routing, all packets with destination port 53 entering from eth0 (internal network card) are sent to the server 1.2.3.4 for parsing.
| iptables -t nat -I PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 1.2.3.4:53 iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 53 -j DNAT --to-destination 1.2.3.4:53 |
4) REDIRECT: redirection, this must be used when squid transparent proxy
All incoming requests from eth1 on ports 80 and 82 are forwarded to port 80 for processing by squid.
| iptables -t nat -A PREROUTING - -i eth1 -p tcp -m multiport --dports 80,82 -j REDIRECT --to-ports 80 |