Configuring NAT with iptables

Configuring NAT with iptables

A packet-filter firewall, as just described, has the capacity to deliver or stop delivery of packets based on criteria such as the source and destination IP addresses, port numbers , and so on. This is an extremely useful feature, but it's not the limit of iptables ' capabilities. One feature of iptables that's particularly useful in certain situations is the ability to program the Linux kernel to perform Network Address Translation (NAT). NAT allows you to modify certain parts of a TCP/IP packet to increase the flexibility of your network addressing. Basic NAT configuration is relatively straightforward, but before you configure it, you should know what it is and what you can do with it.

What Is NAT?

NAT allows a router to modify the contents of TCP/IP packets. In particular, NAT enables changes to the source and destination addresses of the packets. Why would you want to do this? There are several possibilities:

  • Internal/external translation ” You might own a block of network addresses, but you might not want to use those addresses on your internal network for some reason. For instance, you might have already configured your local network to use the private network block, and you might not want to reconfigure all your systems to use public addresses. Using NAT, you can perform a one-to-one mapping of external public addresses to internal private addresses, allowing other systems on the Internet to reach your internal systems.

  • Temporary address changes ” You might use NAT in a temporary emergency situation to redirect packets to a system that's other than the normal one. For instance, if a Web server goes down, you might redirect packets for that server to another computer on your local network. There are other possible solutions to this problem, such as changing DNS server entries, but NAT can be implemented very quickly, which may be important.

  • Load balancing ” It's possible to use NAT to assign two internal computers to a single external IP address, switching between the internal systems for incoming requests . This is a crude form of load balancing that you might employ if a single server becomes overburdened. There are, however, other load balancing solutions that are more elegant than NAT.

  • IP address extension ” If you have a limited number of IP addresses, you can "hide" several computers behind a single IP address, thus making maximal use of your available IP addresses. This feature is commonly used on small networks that use PPP dial-up or broadband Internet connections, which usually give the user only one IP address. It can also be used within a larger organization to stretch available IP addresses ”say, by using one IP address per department.

This final option is probably the most common use of NAT in Linux, and it's frequently referred to by another name : IP masquerading. For this reason, this is the use of NAT upon which this chapter focuses, but it's not the only use of NAT.

NAT requires the use of a router. This router need not be very sophisticated by router standards, but the router does need NAT support. The Linux kernel, as configured through iptables , is perfectly capable of filling this role. A Linux computer configured as a NAT router usually has two external network interfaces ”typically two Ethernet interfaces or an Ethernet interface and a PPP interface.



Unlike a conventional router, a NAT router need not be recognized as such by the outside world. Thus, you need not reconfigure the NAT router's gateway system, as you would have to do if the NAT router were a regular router serving a public block of IP addresses.

To understand NAT, consider a network transaction through a NAT router. This transaction begins with a client on the NAT-protected network, such as a Web browser. The user tries to connect to an external site (say, at The browser generates an HTTP request packet, addressed from its local IP address (say, The client sends this request to its local gateway system, which is the NAT router. Upon receipt of the packets that make up this request, the NAT router examines the packets and changes the source IP address to that of the NAT router's own external address (say, and sends the packets on their way. The Web server believes that the packets came from the NAT router, and so addresses its reply to the NAT router. When the NAT router receives this reply, it recognizes it as a reply to the request from, and so it reverses the process, changing the destination address of the reply packets and passing them on to the client. This process is illustrated in Figure 25.3. If all goes well, neither the client nor the server knows that NAT was involved, so network programs don't need to be rewritten to support NAT.

Some forms of NAT, and in particular IP masquerading, provide an added benefit: automatic firewall-like protection of the private network. Because the outside world sees just one IP address, outside systems cannot initiate normal direct connections to the internal computers. Only reply packets to connections initiated by clients within the NAT network can reach the clients . For this reason, some NAT products, particularly for home broadband users, are marketed as firewalls, but the two are slightly different.

Figure 25.3. NAT involves modifying TCP/IP packets so that addresses are altered in one way or another.


NAT does have certain drawbacks, as well as advantages:

  • The firewall-like protection means that you can't as easily run externally accessible servers from inside a NAT-protected network. To do so, you must use port redirection, described in the upcoming section, "Redirecting Ports with iptables ."

  • Not all protocols react well to NAT. Some, such as some security tools, embed information on their IP addresses within their data payloads, sometimes in an encrypted form. Others require servers at both ends of the connections. Linux's NAT implementation provides explicit support for some protocols that are tricky for NAT, but if you use videoconferencing or encryption tools, you may want to do a Web search or experiment to find out if your tools will work with Linux's NAT.

Although it's not strictly a disadvantage of NAT, you shouldn't rely upon its security features too much. A virus, worm, Trojan horse, or other local security problem can still launch attacks from within your network, or use an outgoing connection to allow an outsider access.

On the whole, NAT is a very useful tool for connecting many computers to a wider network using a single IP address, or for performing other tricks that involve the shuffling of IP addresses.

Setting iptables NAT Options

Linux's NAT features are contained within a separate table from the filter table described in earlier sections of this chapter. In particular, NAT resides in the nat table. This table, like the filter table, consists of three chains: PREROUTING , POSTROUTING , and OUTPUT . Despite having the same name, the OUTPUT chain in the nat table is different from the OUTPUT chain in the filter table. Enabling NAT can be done by typing two commands:

 #  iptables -t nat -A POSTROUTING -o   external-interface   -j \ MASQUERADE  #  echo "1" > /proc/sys/net/ipv4/ip_forward  



You may need to type modprobe iptable_nat before the iptables command to load the NAT module into the kernel.

In the first command, external-interface is the name of the external network interface, such as ppp0 or eth1 . This command tells Linux to perform IP masquerading on all routed network traffic. The second command enables routing in the Linux kernel (you'd use the same command to enable non-NAT routing features).

It's common to enable firewall features, as described earlier in this chapter in the section "Configuring a Firewall with iptables," on a NAT router. Protecting computers behind the NAT router from direct attacks isn't much of an issue in this situation, but you should protect the NAT router from attacks on itself, and you should also limit external access from within your network. Even if you're the only user, it's possible that a virus, worm, or Trojan horse could try to initiate an undesirable external access, so you should limit outgoing packets. You can also use stateful inspection to block attempts to hijack connections made from inside your network. You can enter the NAT commands in the same script you use to activate your firewall features.

If at all possible, your NAT router should run no servers. If a server running on a NAT router is compromised, it can be used to compromise the rest of your network. In fact, you can install Linux on an old computer and use it as nothing but a NAT router for a small network. Even an old 80486 system should suffice.

Advanced Linux Networking
Advanced Linux Networking
ISBN: 0201774232
EAN: 2147483647
Year: 2002
Pages: 203

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: