Configuring NAT with
firewall, as just described, has the capacity to deliver or stop delivery of packets based on criteria such as the source and destination IP addresses, port
, and so on. This is an extremely useful feature, but it's not the limit of
' capabilities. One feature of
that's particularly useful in certain situations is the ability to program the Linux kernel to perform Network Address Translation (NAT). NAT allows you to modify certain
of a TCP/IP packet to increase the flexibility of your network addressing. Basic NAT configuration is relatively straightforward, but before you configure it, you should know what it is and what you can do with it.
What Is NAT?
NAT allows a router to modify the contents of TCP/IP packets. In particular, NAT enables changes to the source and destination addresses of the packets. Why would you want to do this? There are several possibilities:
” You might own a block of network addresses, but you might not want to use those addresses on your internal network for some reason. For instance, you might have already configured your local network to use the private 192.168.9.0/24 network block, and you might not want to reconfigure all your systems to use public addresses. Using NAT, you can perform a one-to-one mapping of external public addresses to internal private addresses, allowing other systems on the Internet to reach your internal systems.
Temporary address changes
” You might use NAT in a temporary emergency situation to redirect packets to a system that's other than the normal one. For instance, if a Web server goes down, you might redirect packets for that server to another computer on your local network. There are other possible solutions to this problem, such as changing DNS server entries, but NAT can be implemented very quickly, which may be important.
” It's possible to use NAT to assign two internal computers to a single external IP address, switching between the internal systems for incoming
. This is a crude form of load balancing that you might
if a single server becomes overburdened. There are, however, other load balancing solutions that are more elegant than NAT.
IP address extension
” If you have a limited number of IP addresses, you can "hide" several computers behind a single IP address, thus making maximal use of your available IP addresses. This feature is commonly used on small networks that use PPP dial-up or broadband Internet connections, which usually give the
only one IP address. It can also be used within a larger organization to stretch available IP addresses ”say, by using one IP address per department.
This final option is probably the most common use of NAT in Linux, and it's frequently referred to by another
For this reason, this is the use of NAT upon which this chapter focuses, but it's not the only use of NAT.
NAT requires the use of a router. This router need not be very sophisticated by router standards, but the router does need NAT support. The Linux kernel, as configured through
capable of filling this role. A Linux computer configured as a NAT router usually has two external network interfaces ”typically two Ethernet interfaces or an Ethernet interface and a PPP interface.
Unlike a conventional router, a NAT router need not be recognized as such by the outside world. Thus, you need not reconfigure the NAT router's gateway system, as you would have to do if the NAT router were a regular router serving a public block of IP addresses.
To understand NAT, consider a network transaction through a NAT router. This transaction begins with a client on the NAT-protected network, such as a Web browser. The user
to connect to an external site (say, at 172.18.127.45). The browser generates an HTTP request packet, addressed from its local IP address (say, 192.168.9.32). The client sends this request to its local gateway system, which is the NAT router. Upon receipt of the packets that make up this request, the NAT router examines the packets and changes the source IP address to that of the NAT router's own external address (say, 10.34.176.7) and sends the packets on their way. The Web server believes that the packets came from the NAT router, and so addresses its reply to the NAT router. When the NAT router receives this reply, it recognizes it as a reply to the request from 192.168.9.32, and so it reverses the process, changing the destination address of the reply packets and passing them on to the client. This process is
in Figure 25.3. If all goes well,
the client nor the server
that NAT was involved, so network programs don't need to be rewritten to support NAT.
Some forms of NAT, and in particular IP masquerading, provide an added benefit: automatic firewall-like protection of the private network. Because the outside world sees just one IP address, outside systems cannot initiate normal direct connections to the internal computers. Only reply packets to connections initiated by clients within the NAT network can reach the
. For this reason, some NAT products, particularly for home broadband users, are marketed as firewalls, but the two are slightly different.
Figure 25.3. NAT involves modifying TCP/IP packets so that addresses are
in one way or another.
NAT does have certain drawbacks, as well as advantages:
The firewall-like protection means that you can't as easily run externally accessible servers from inside a NAT-protected network. To do so, you must use port redirection, described in the upcoming section, "Redirecting Ports with
Not all protocols
well to NAT. Some, such as some security tools, embed information on their IP addresses within their data payloads, sometimes in an encrypted form. Others require servers at both ends of the connections. Linux's NAT implementation provides explicit support for some protocols that are tricky for NAT, but if you use videoconferencing or encryption tools, you may want to do a Web search or experiment to find out if your tools will work with Linux's NAT.
Although it's not
of NAT, you shouldn't rely upon its security features too much. A virus, worm, Trojan horse, or other local security problem can still launch attacks from within your network, or use an outgoing connection to allow an outsider access.
On the whole, NAT is a very useful tool for connecting many computers to a wider network using a single IP address, or for performing other tricks that involve the shuffling of IP addresses.
Linux's NAT features are contained within a separate table from the
table described in earlier sections of this chapter. In particular, NAT resides in the
table. This table, like the
table, consists of three chains:
. Despite having the same name, the
chain in the
table is different from the
chain in the
table. Enabling NAT can be done by typing two commands:
iptables -t nat -A POSTROUTING -o
-j \ MASQUERADE
echo "1" >
You may need to type
command to load the NAT module into the kernel.
In the first command,
is the name of the external network interface, such as
. This command
Linux to perform IP masquerading on all routed network traffic. The second command enables routing in the Linux kernel (you'd use the same command to enable non-NAT routing features).
It's common to enable firewall features, as described earlier in this chapter in the section "Configuring a Firewall with iptables," on a NAT router. Protecting computers behind the NAT router from direct attacks isn't much of an issue in this situation, but you should protect the NAT router from attacks on itself, and you should also limit external access from within your network. Even if you're the only user, it's possible that a virus, worm, or Trojan horse could try to initiate an undesirable external access, so you should limit outgoing packets. You can also use stateful inspection to block attempts to
connections made from inside your network. You can enter the NAT commands in the same script you use to activate your firewall features.
If at all possible, your NAT router should run no servers. If a server running on a NAT router is compromised, it can be used to compromise the rest of your network. In fact, you can install Linux on an old computer and use it as nothing but a NAT router for a small network. Even an old 80486 system should suffice.