Source NAT is by far the most common form of NAT. Using NAT to give outgoing Internet access to local, privately addressed hosts was the original purpose of NAT. The following sections provide some simple, real-world examples of using the nat table's MASQUERADE and SNAT targets. Masquerading LAN Traffic to the InternetThe MASQUERADE version of source NAT is intended for people with dial-up accounts who get a different IP address assigned at each connection. It also is used by people with always on connections, but whose ISP assigns them a different IP address on a regular basis. The simplest example is a PPP connection. These sites often use a single rule to masquerade all outgoing connections from the LAN: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE Masqueradingand NAT in generalis set up with the first packet. With masquerading, a single nat rule can be sufficient. The NAT and connection state tracking take care of the incoming packets. The FORWARD rule pair is necessary, though, as in this example: iptables -A FORWARD -o ppp0 \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -o <LAN interface> \ -m state --state ESTABLISHED,RELATED -j ACCEPT In this simple type of setup, the incoming interface doesn't need to be specified. FORWARD rules refer to traffic crossing between interfaces. If the host has a single network interface and a single ppp interface, anything forwarded out one interface must necessarily originate from the other interface. Anything accepted by the FORWARD rules in the filter table during routing will be masqueraded by the POSTROUTING rule in the nat table. Even with short-term phone connections, the single FORWARD rule allowing outgoing NEW connections should be broken out into rules for specific services. Depending on the networked devices in the LAN and how they operate, you most likely want to limit what LAN traffic gets forwarded. Here's an example of a single FORWARD rule pair: iptables -A FORWARD -i <LAN interface> -o ppp0 \ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i -ppp0 -o <LAN interface> \ -m state --state ESTABLISHED,RELATED -j ACCEPT In this example, the single FORWARD rule pair is broken out into several more specific rules allowing only DNS queries and standard web access. Other LAN traffic isn't forwarded, as shown by these commands: ptables -A FORWARD -i -ppp0 -o <LAN interface> \ -m state --state ESTABLISHED,RELATED -j ACCEPT ptables -A FORWARD -o ppp0 \ -m state --state RELATED,ESTABLISHED -j ACCEPT ptables -A FORWARD -o ppp0 -p udp \ --sport 1024:65535 -d <name server> --dport 53 \ -m state --state NEW -j ACCEPT iptables -A FORWARD -o ppp0 -p tcp \ --sport 1024:65535 -d <name server> --dport 53 \ -m state --state NEW -j ACCEPT iptables -A FORWARD -o ppp0 -p tcp \ -s <local host> --sport 1024:65535 --dport 80 \ -m state --state NEW -j ACCEPT The single MASQUERADE rule on the nat table's POSTROUTING chain remains unchanged. All forwarded traffic is masqueraded. (Locally generated traffic going out the ppp0 interface is not masqueraded because the traffic is identified with the interface's IP address, by definition.) The FORWARD rules in the filter table are limiting what traffic is forwarded and, therefore, what traffic is seen at the POSTROUTING chain. Applying Standard NAT to LAN Traffic to the InternetAssuming that that same site had a dynamically assigned but semipermanent IP address or that it has a permanently assigned IP address, the more general SNAT version of source NAT would be used. Just as in the masquerading example, small residential sites often forward and NAT all outgoing LAN traffic: iptables -t nat -A POSTROUTING -o <external interface> \_-j SNAT \ --to-source <external address> As with masquerading, a single SNAT rule can be sufficient. The NAT and connection state tracking take care of the incoming packets. The FORWARD rule pair is necessary, however, as in the following example: iptables -A FORWARD -o <external interface>\ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -o <LAN interface> \ -m state --state ESTABLISHED,RELATED -j ACCEPT In the case of small sites with 24x7 connections, it's especially important to be selective about what traffic gets forwarded. The single FORWARD rule allowing outgoing new connections isn't sufficient. Trojans and viruses are common. The newer networked devices can tend to be somewhat promiscuous about what they do over the network. There's a good chance that Microsoft Windows machines and devices such as networked printers are generating far more traffic than you realize. Also, much of that local traffic is broadcast. It's a good idea to avoid the risk of forwarding broadcast traffic. Routers are no longer supposed to forward directed broadcast traffic by default, but many still do. (Limited broadcasts don't cross network boundaries without a relay agent to duplicate the packet and pass it on. Most devices use limited broadcasts.) A final reason is the case of attaching work laptops to the home network. Many employers don't want offsite laptops to have Internet access without VPN or the protection of their corporate firewalls and antivirus software. |