1 | 1 . What are the two nat
NAT (Network Address Translation) translated network address translation. We usually router when forwarding data packets, the source MAC address will only replace its own MAC address, but the NAT technology can modify the source address of the packet, the destination address information and source port, destination port.
1 | 2 . Two NAT role
The most common application of NAT technology is achieved by modifying the source IP address within the network using multi-host a public address to access the Internet. NAT technology typically used for port forwarding and traffic redirection, such as port mapping to achieve, cross-network access, traffic agents, and other functions.
1 | 3 . Two iptables NAT forwarding achieve
1. syntax and parameters introduced
iptables [-t TABLE] COMMAND CHAIN [num] -j processing operation matching condition
To use the iptables NAT function, we first need to enable IP forwarding card
echo 1 > /proc/sys/net/ipv4/ip_forward
If you want permanent effect, we want to edit /etc/sysctl.conf
files, settings net.ipv4.ip_forward = 1
, and then use the sysctl -p
command to make the configuration file to take effect.
We use the -t nat
parameter specifies that the nat table because the default iptables filter table to use.
nat table as there are three default filter table with the "chain" (chains):
POSTROUTING: source address conversion rule definitions, rewriting data packet source IP address PREROUTING: define the rules of conversion of the destination address, can be redirected to other external access host OUTPUT: a conversion rule defined for the purpose of locally generated data packet .
When we have to use iptables NAT is performed, the action used primarily for SNAT, DNAT and REDIRECT:
SNAT: Source Address Translation DNAT: DNAT REDIRECT: Port Redirection
(1) Rule Action
-A: adding at the tail of the chain rule -D CHAIN [num]: delete rule specifies article num chain -I CHAIN [num]: Article num inserted position within the specified rule chain -R CHAIN [num] : replacing the chain rule specified position
(2) the source / destination IP address
-s: Specifies the source address --dst: destination address
(3) a network interface
-i: Inbound interface. For `PREROUTING` chain, come with only the specified network interface -i -o: the outbound interface. For POSTROUTING and OUTPUT, can only be specified with a -o out of network interface
(4) Action
ACCEPT: Release DROP: discarding REJECT: rejected MASQUERADE: masquerading LOG: log MARK: tag
. 1 | . 4 . Three source / destination forwarding instance
1. Source NAT (SNAT)
changes all packets from the source IP address of 192.168.1.0/24 is 123.4.5.100
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to 123.4.5.100
2. Objective NAT (DNAT)
changes all purposes ip address of packets from the 192.168.1.0/24 is 123.4.5.100
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -i eth1 -j DNAT --to 123.4.5.100
3.IP mapping examples
assume that there is such a situation: A, B units to the network in part from user requirements to build their own Web server released information. We can be bound to the external network adapter on the firewall more valid public IP address, which is then sent to an IP address of a packet is forwarded to the internal Web server through a user's ip mapping, and the internal Web server the response packet is disguised as public IP packet sent.
Before NAT is performed, we need to first be assigned to A, the public network ip B units bound to the firewall's external interface:
ifconfig eth0 add 123.4.5.100 netmask 255.255.255.0 ifconfig eth0 add 123.4.5.200 netmask 255.255.255.0
All packets received by the firewall to objects ip 123.4.5.100 and 123.4.5.200 is the purpose of NAT (DNAT):
iptables -A PREROUTING -i eth0 -d 123.4.5.100 -j DNAT --to 192.168.1.100 iptables -A PREROUTING -i eth0 -d 123.4.5.200 -j DNAT --to 192.168.1.200
Next, the firewall receives source addresses 192.168.1.100 and 192.168.1.200 ip data packets Source NAT (SNAT):
iptables -A POSTROUTING -o eth0 -s 192.168.1.100 -j SNAT --to 123.4.5.100 iptables -A POSTROUTING -o eth0 -s 192.168.1.200 -j SNAT --to 123.4.5.200
Thus, the purpose of all of 123.4.5.100 and 123.4.5.200 ip packets will be forwarded to each 192.168.1.100 and 192.168.1.200;
and all packets from 192.168.1.100 and 192.168.1.200 will be disguised by the respective 123.4.5.100 and 123.4.5.200, thus also achieved ip mapping.
iptables -t nat -A PREROUTING -d public network ip -p tcp --dport public network port -j DNAT --to ip: port network service iptables -t nat -A POSTROUTING -d internal network ip -p tcp --dport within the network service port -j SNAT --to-source external IP gateway
Example: ssh the network service is mapped to external networks. iptables rules configured as follows:
iptables -t nat -A PREROUTING -d 123.4.5.100 -p tcp --dport 2222 -j DNAT --to-destination 10.0.0.20:22 iptables -t nat -A POSTROUTING -d 10.0.0.20 -p tcp --dport 22 -j SNAT --to-source 123.4.5.100
The public network packet 123.4.5.100:2222 forwarded to the internal network 10.0.0.20:22
1 | 5 . Quad Port forwarding instances
1. The local port forwarding
The data sent to port 80 of the present redirected to port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
2. Remote port forwarding
The access 123.4.5.100:8080 packet forwarding to 123.4.5.200:80
iptables -t nat -A PREROUTING -d 123.4.5.100 -p tcp --dport 8080 -j DNAT --to-destination 123.4.5.200:80