Difference between revisions of "NAT Linux"

From Teknologisk videncenter
Jump to: navigation, search
m (Basic NAT example using IP Tables)
m
Line 4: Line 4:
 
*Redhat
 
*Redhat
 
*Centos
 
*Centos
 +
== Basic NAT example using IP Tables ==
 +
IPTABLES can be configured in two different ways when you boot your machine. The examples will assume you have two Network interface cards. '''eth0''' connected to the internal - private network - and '''eth1''' connected to the external - Internet.
 +
*Using a startup script. Example below.
 +
*Using IPTABLES save and restore facelity. Example below.
 +
=== Using a startup script to configure IPTABLES ===
 +
==== When you have a fixed address on the external Interface ====
 +
When you know your address on the external Interface - not using DHCP - you should use source NAT (SNAT), which is slightly more efficient than using masquerading.<br>
 +
Add the following lines to '''/etc/rc.local'''
 +
<pre>
 +
#  Enable IP Forwading between Interfaces (Routing)
 +
echo "1" > /proc/sys/net/ipv4/ip_forward
 +
# Use iptables Source NAT (SNAT) to translate internal 192.168.1.0/24 IP addresses to the external IP Address 83.90.47.30
 +
# Allow the internal hosts to connect to any IP address on the outside 0.0.0.0/24
 +
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0 -j SNAT --to 83.90.47.30
 +
</pre>
 +
use the command ''iptables -L -t nat'' to see the rule in the IPTABLES chains.
 +
<pre>
 +
[root@bkshost etc]# iptables -L -t nat
 +
Chain PREROUTING (policy ACCEPT)
 +
target    prot opt source              destination
 +
 +
Chain POSTROUTING (policy ACCEPT)
 +
target    prot opt source              destination
 +
SNAT      all  --  192.168.1.0/24        anywhere          to:83.90.47.30
 +
 +
Chain OUTPUT (policy ACCEPT)
 +
target    prot opt source              destination
 +
</pre>
 +
==== When you have a floating address on the external Interface ====
 +
When you don't know your external IP Address and are fetching it from a DHCP server, you can use masquerading<br/>
 +
Add the following lines to '''/etc/rc.local'''
 +
<pre>
 +
#  Enable IP Forwading between Interfaces (Routing)
 +
echo "1" > /proc/sys/net/ipv4/ip_forward
 +
# Use iptables Source NAT (SNAT) to translate internal 192.168.1.0/24 IP addresses to the external IP Address that eth0 has
 +
# Allow the internal hosts to connect to any IP address on the outside 0.0.0.0/24
 +
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0 -o eth0 -j MASQUERADE
 +
</pre>
 +
use the command ''iptables -L -t nat'' to see the rule in the IPTABLES chains.
 +
<pre>
 +
[root@bkshost etc]# iptables -L -t nat
 +
Chain PREROUTING (policy ACCEPT)
 +
target    prot opt source              destination
 +
 +
Chain POSTROUTING (policy ACCEPT)
 +
target    prot opt source              destination
 +
MASQUERADE  all  --  192.168.1.0/24        anywhere
 +
 +
Chain OUTPUT (policy ACCEPT)
 +
target    prot opt source              destination
 +
</pre>
 +
=OLD=
 +
Add the following lines to '''/etc/rc.local''' to configure Routing at boot.
 +
=== Using IPTABLES-SAVE/RESTORE to configure IPTABLES ===
 
== Enable IP Forwarding (Routing) between interfaces ==
 
== Enable IP Forwarding (Routing) between interfaces ==
 
Before you can route packets from the Inside network Interface to the outside network Interface, you need to enable IP forwarding.
 
Before you can route packets from the Inside network Interface to the outside network Interface, you need to enable IP forwarding.

Revision as of 11:13, 7 March 2009

Linux IP Tables

IP Tables is used for packet filtering and NAT/PAT translation on several Linux distributions including

  • Ubunto
  • Redhat
  • Centos

Basic NAT example using IP Tables

IPTABLES can be configured in two different ways when you boot your machine. The examples will assume you have two Network interface cards. eth0 connected to the internal - private network - and eth1 connected to the external - Internet.

  • Using a startup script. Example below.
  • Using IPTABLES save and restore facelity. Example below.

Using a startup script to configure IPTABLES

When you have a fixed address on the external Interface

When you know your address on the external Interface - not using DHCP - you should use source NAT (SNAT), which is slightly more efficient than using masquerading.
Add the following lines to /etc/rc.local

#  Enable IP Forwading between Interfaces (Routing)
echo "1" > /proc/sys/net/ipv4/ip_forward
# Use iptables Source NAT (SNAT) to translate internal 192.168.1.0/24 IP addresses to the external IP Address 83.90.47.30
# Allow the internal hosts to connect to any IP address on the outside 0.0.0.0/24
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0 -j SNAT --to 83.90.47.30

use the command iptables -L -t nat to see the rule in the IPTABLES chains.

[root@bkshost etc]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  192.168.1.0/24        anywhere           to:83.90.47.30

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

When you have a floating address on the external Interface

When you don't know your external IP Address and are fetching it from a DHCP server, you can use masquerading
Add the following lines to /etc/rc.local

#  Enable IP Forwading between Interfaces (Routing)
echo "1" > /proc/sys/net/ipv4/ip_forward
# Use iptables Source NAT (SNAT) to translate internal 192.168.1.0/24 IP addresses to the external IP Address that eth0 has
# Allow the internal hosts to connect to any IP address on the outside 0.0.0.0/24
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0 -o eth0 -j MASQUERADE 

use the command iptables -L -t nat to see the rule in the IPTABLES chains.

[root@bkshost etc]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.1.0/24        anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

OLD

Add the following lines to /etc/rc.local to configure Routing at boot.

Using IPTABLES-SAVE/RESTORE to configure IPTABLES

Enable IP Forwarding (Routing) between interfaces

Before you can route packets from the Inside network Interface to the outside network Interface, you need to enable IP forwarding.

Enabling forwarding until next boot

To enable IP forwarding you need to toggle a switch in the kernel, you can do that with the following command. But remember, next time you boot the machine, it will be switched of again.

echo "1" > /proc/sys/net/ipv4/ip_forward

Enable IP forwarding permanently

To enable IP forwarding permanently, you either need to issue the command below in a boot-script. /etc/rc.local or similar
or
Change the file /etc/sysctl.conf to include the following line. Perhaps you only need to uncomment a line. (Remove the # from beginning of the line)

net.ipv4.ip_forward=1

Note that altering /etc/sysctl.conf will first be effective after reboot.

Basic NAT example using IP Tables

In the example below the internal network 192.168.1.0/24 is Source Natted (SNAT) to the external IP Address 83.90.47.30. Source nat also makes port translations. So the example uses NAT/PAT, and would be sufficient as a NAT/PAT solution for a private network.

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0 -j SNAT --to 83.90.47.30

use the command iptables -L -t nat to see the rule in the IPTABLES chains.

[root@bkshost etc]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  192.168.1.0/24        anywhere           to:83.90.47.30

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Webserver located on internal network

To redirect WEB traffic originating from the outside to a WEB-server on the inside you would use a rule as showed below.