Difference between revisions of "NAT Linux"
m (→When you have a floating address on the external Interface) |
m (→WEB server on the inside network) |
||
Line 67: | Line 67: | ||
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 443 -j DNAT --to 192.168.1.30:443 | iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 443 -j DNAT --to 192.168.1.30:443 | ||
</pre> | </pre> | ||
− | + | ==IP destination nat Forwarding with source nat== | |
+ | <pre> | ||
+ | iptables -t nat -A PREROUTING -i eth1 -d 83.90.239.187 -j DNAT --to 192.168.139.103 | ||
+ | iptables -t nat -A POSTROUTING -o eth0 -d 192.168.139.103 -j SNAT --to-source 172.16.4.17 | ||
+ | </pre> | ||
[[Category:Linux]] | [[Category:Linux]] |
Latest revision as of 15:25, 11 December 2013
iptables is used for packet filtering and NAT/PAT translation on several Linux distributions including
- Ubunto
- Redhat
- Centos
Basic NAT example using iptables
iptables can be configured in two different ways when you boot your machine. The examples will assume you have two Network interface cards. eth0 connected to the internal - private network - and eth1 connected to the external - Internet.
- Using a startup script. Example below.
- Using iptables save and restore facelity. Example below.
Using a startup script to configure iptables
When you have a fixed address on the external Interface
When you know your address on the external Interface - not using DHCP - you should use source NAT (SNAT), which is slightly more efficient than using masquerading.
Add the following lines to /etc/rc.local
# Enable IP Forwading between Interfaces (Routing) echo "1" > /proc/sys/net/ipv4/ip_forward # Use iptables Source NAT (SNAT) to translate internal 192.168.1.0/24 IP addresses to the external IP Address 83.90.47.30 # Allow the internal hosts to connect to any IP address on the outside 0.0.0.0/24 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0 -j SNAT --to 83.90.47.30
When you have a floating address on the external Interface
When you don't know your external IP Address and are fetching it from a DHCP server, you can use masquerading
Add the following lines to /etc/rc.local
# Enable IP Forwarding between Interfaces (Routing) echo "1" > /proc/sys/net/ipv4/ip_forward # Use iptables Source NAT (SNAT) to translate internal 192.168.1.0/24 IP addresses to the external IP Address that eth0 has # Allow the internal hosts to connect to any IP address on the outside 0.0.0.0/24 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 0.0.0.0/0 -o eth1 -j MASQUERADE
Checking iptables NAT rules and traffic
The iptables list option can be used to see iptables rules and iptables traffic.
use the command iptables -L -t nat to see the rules in the iptables NAT chains.
[root@bkshost etc]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.1.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination
use the command iptables -L -t nat -v to see the rules in the iptables chains and the traffic for each rule.
[root@bkshost etc]# iptables -L -t nat -v Chain PREROUTING (policy ACCEPT 275K packets, 19M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 13846 packets, 1355K bytes) pkts bytes target prot opt in out source destination 99447 6447K MASQUERADE all -- * eth1 172.22.0.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 15307 packets, 1758K bytes) pkts bytes target prot opt in out source destination
WEB server on the inside network
If you have a WEB server on the inside network for example 192.168.1.30, which should be accessible from the outside. (eth1)
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.30:80 iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 443 -j DNAT --to 192.168.1.30:443
IP destination nat Forwarding with source nat
iptables -t nat -A PREROUTING -i eth1 -d 83.90.239.187 -j DNAT --to 192.168.139.103 iptables -t nat -A POSTROUTING -o eth0 -d 192.168.139.103 -j SNAT --to-source 172.16.4.17