Difference between revisions of "NAT Linux"
m (→Basic NAT example using IP Tables) |
m |
||
Line 4: | Line 4: | ||
*Redhat | *Redhat | ||
*Centos | *Centos | ||
+ | == Basic NAT example using IP Tables == | ||
+ | IPTABLES can be configured in two different ways when you boot your machine. The examples will assume you have two Network interface cards. '''eth0''' connected to the internal - private network - and '''eth1''' connected to the external - Internet. | ||
+ | *Using a startup script. Example below. | ||
+ | *Using IPTABLES save and restore facelity. Example below. | ||
+ | === Using a startup script to configure IPTABLES === | ||
+ | ==== When you have a fixed address on the external Interface ==== | ||
+ | When you know your address on the external Interface - not using DHCP - you should use source NAT (SNAT), which is slightly more efficient than using masquerading.<br> | ||
+ | Add the following lines to '''/etc/rc.local''' | ||
+ | <pre> | ||
+ | # Enable IP Forwading between Interfaces (Routing) | ||
+ | echo "1" > /proc/sys/net/ipv4/ip_forward | ||
+ | # Use iptables Source NAT (SNAT) to translate internal 192.168.1.0/24 IP addresses to the external IP Address 83.90.47.30 | ||
+ | # Allow the internal hosts to connect to any IP address on the outside 0.0.0.0/24 | ||
+ | iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0 -j SNAT --to 83.90.47.30 | ||
+ | </pre> | ||
+ | use the command ''iptables -L -t nat'' to see the rule in the IPTABLES chains. | ||
+ | <pre> | ||
+ | [root@bkshost etc]# iptables -L -t nat | ||
+ | Chain PREROUTING (policy ACCEPT) | ||
+ | target prot opt source destination | ||
+ | |||
+ | Chain POSTROUTING (policy ACCEPT) | ||
+ | target prot opt source destination | ||
+ | SNAT all -- 192.168.1.0/24 anywhere to:83.90.47.30 | ||
+ | |||
+ | Chain OUTPUT (policy ACCEPT) | ||
+ | target prot opt source destination | ||
+ | </pre> | ||
+ | ==== When you have a floating address on the external Interface ==== | ||
+ | When you don't know your external IP Address and are fetching it from a DHCP server, you can use masquerading<br/> | ||
+ | Add the following lines to '''/etc/rc.local''' | ||
+ | <pre> | ||
+ | # Enable IP Forwading between Interfaces (Routing) | ||
+ | echo "1" > /proc/sys/net/ipv4/ip_forward | ||
+ | # Use iptables Source NAT (SNAT) to translate internal 192.168.1.0/24 IP addresses to the external IP Address that eth0 has | ||
+ | # Allow the internal hosts to connect to any IP address on the outside 0.0.0.0/24 | ||
+ | iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0 -o eth0 -j MASQUERADE | ||
+ | </pre> | ||
+ | use the command ''iptables -L -t nat'' to see the rule in the IPTABLES chains. | ||
+ | <pre> | ||
+ | [root@bkshost etc]# iptables -L -t nat | ||
+ | Chain PREROUTING (policy ACCEPT) | ||
+ | target prot opt source destination | ||
+ | |||
+ | Chain POSTROUTING (policy ACCEPT) | ||
+ | target prot opt source destination | ||
+ | MASQUERADE all -- 192.168.1.0/24 anywhere | ||
+ | |||
+ | Chain OUTPUT (policy ACCEPT) | ||
+ | target prot opt source destination | ||
+ | </pre> | ||
+ | =OLD= | ||
+ | Add the following lines to '''/etc/rc.local''' to configure Routing at boot. | ||
+ | === Using IPTABLES-SAVE/RESTORE to configure IPTABLES === | ||
== Enable IP Forwarding (Routing) between interfaces == | == Enable IP Forwarding (Routing) between interfaces == | ||
Before you can route packets from the Inside network Interface to the outside network Interface, you need to enable IP forwarding. | Before you can route packets from the Inside network Interface to the outside network Interface, you need to enable IP forwarding. |
Revision as of 11:13, 7 March 2009
Contents
Linux IP Tables
IP Tables is used for packet filtering and NAT/PAT translation on several Linux distributions including
- Ubunto
- Redhat
- Centos
Basic NAT example using IP Tables
IPTABLES can be configured in two different ways when you boot your machine. The examples will assume you have two Network interface cards. eth0 connected to the internal - private network - and eth1 connected to the external - Internet.
- Using a startup script. Example below.
- Using IPTABLES save and restore facelity. Example below.
Using a startup script to configure IPTABLES
When you have a fixed address on the external Interface
When you know your address on the external Interface - not using DHCP - you should use source NAT (SNAT), which is slightly more efficient than using masquerading.
Add the following lines to /etc/rc.local
# Enable IP Forwading between Interfaces (Routing) echo "1" > /proc/sys/net/ipv4/ip_forward # Use iptables Source NAT (SNAT) to translate internal 192.168.1.0/24 IP addresses to the external IP Address 83.90.47.30 # Allow the internal hosts to connect to any IP address on the outside 0.0.0.0/24 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0 -j SNAT --to 83.90.47.30
use the command iptables -L -t nat to see the rule in the IPTABLES chains.
[root@bkshost etc]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.1.0/24 anywhere to:83.90.47.30 Chain OUTPUT (policy ACCEPT) target prot opt source destination
When you have a floating address on the external Interface
When you don't know your external IP Address and are fetching it from a DHCP server, you can use masquerading
Add the following lines to /etc/rc.local
# Enable IP Forwading between Interfaces (Routing) echo "1" > /proc/sys/net/ipv4/ip_forward # Use iptables Source NAT (SNAT) to translate internal 192.168.1.0/24 IP addresses to the external IP Address that eth0 has # Allow the internal hosts to connect to any IP address on the outside 0.0.0.0/24 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0 -o eth0 -j MASQUERADE
use the command iptables -L -t nat to see the rule in the IPTABLES chains.
[root@bkshost etc]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.1.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
OLD
Add the following lines to /etc/rc.local to configure Routing at boot.
Using IPTABLES-SAVE/RESTORE to configure IPTABLES
Enable IP Forwarding (Routing) between interfaces
Before you can route packets from the Inside network Interface to the outside network Interface, you need to enable IP forwarding.
Enabling forwarding until next boot
To enable IP forwarding you need to toggle a switch in the kernel, you can do that with the following command. But remember, next time you boot the machine, it will be switched of again.
echo "1" > /proc/sys/net/ipv4/ip_forward
Enable IP forwarding permanently
To enable IP forwarding permanently, you either need to issue the command below in a boot-script. /etc/rc.local or similar
or
Change the file /etc/sysctl.conf to include the following line. Perhaps you only need to uncomment a line. (Remove the # from beginning of the line)
net.ipv4.ip_forward=1
Note that altering /etc/sysctl.conf will first be effective after reboot.
Basic NAT example using IP Tables
In the example below the internal network 192.168.1.0/24 is Source Natted (SNAT) to the external IP Address 83.90.47.30. Source nat also makes port translations. So the example uses NAT/PAT, and would be sufficient as a NAT/PAT solution for a private network.
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0 -j SNAT --to 83.90.47.30
use the command iptables -L -t nat to see the rule in the IPTABLES chains.
[root@bkshost etc]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 192.168.1.0/24 anywhere to:83.90.47.30 Chain OUTPUT (policy ACCEPT) target prot opt source destination
Webserver located on internal network
To redirect WEB traffic originating from the outside to a WEB-server on the inside you would use a rule as showed below.