لطفا منتظر باشید ...
Configuring NAT
with iptables
A packet-filter firewall, as just described,
has the capacity to deliver or stop delivery of packets based on criteria such
as the source and destination IP addresses, port numbers, and so on. This is an
extremely useful feature, but it's not the limit of iptables '
capabilities. One feature of iptables that's particularly useful in certain situations is the ability to
program the Linux kernel to perform Network Address Translation (NAT). NAT
allows you to modify certain parts of a TCP/IP packet to increase the
flexibility of your network addressing. Basic NAT configuration is relatively
straightforward, but before you configure it, you should know what it is and
what you can do with it.
What Is NAT?
NAT allows a router to modify the contents of
TCP/IP packets. In particular, NAT enables changes to the source and
destination addresses of the packets. Why would you want to do this? There are
several possibilities: Internal/external
translation You might own a block of network
addresses, but you might not want to use those addresses on your internal
network for some reason. For instance, you might have already configured your
local network to use the private 192.168.9.0/24 network block, and you might
not want to reconfigure all your systems to use public addresses. Using NAT,
you can perform a one-to-one mapping of external public addresses to internal
private addresses, allowing other systems on the Internet to reach your
internal systems. Temporary address
changes You might use NAT in a temporary
emergency situation to redirect packets to a system that's other than the
normal one. For instance, if a Web server goes down, you might redirect packets
for that server to another computer on your local network. There are other
possible solutions to this problem, such as changing DNS server entries, but
NAT can be implemented very quickly, which may be important. Load balancing It's possible to use NAT to assign two internal computers to a
single external IP address, switching between the internal systems for incoming
requests. This is a crude form of load balancing that you might employ if a
single server becomes overburdened. There are, however, other load balancing
solutions that are more elegant than NAT. IP address extension If you have a limited number of IP addresses, you can
"hide" several computers behind a single IP address, thus making
maximal use of your available IP addresses. This feature is commonly used on
small networks that use PPP dial-up or broadband Internet connections, which
usually give the user only one IP address. It can also be used within a larger
organization to stretch available IP addressessay, by using one IP address per
department.This final option is probably the most common
use of NAT in Linux, and it's frequently referred to by another name:IP masquerading. For this reason, this is the use of
NAT upon which this chapter focuses, but it's not the only use of NAT.NAT requires the use of a router. This router
need not be very sophisticated by router standards, but the router does need
NAT support. The Linux kernel, as configured through iptables , is
perfectly capable of filling this role. A Linux computer configured as a NAT
router usually has two external network interfacestypically two Ethernet
interfaces or an Ethernet interface and a PPP interface.NOTE
align=left border=0> Unlike a conventional router, a NAT router
need not be recognized as such by the outside world. Thus, you need not
reconfigure the NAT router's gateway system, as you would have to do if the
NAT router were a regular router serving a public block of IP addresses.
To understand NAT, consider a network transaction
through a NAT router. This transaction begins with a client on the
NAT-protected network, such as a Web browser. The user tries to connect to an
external site (say, at 172.18.127.45). The browser generates an HTTP request
packet, addressed from its local IP address (say, 192.168.9.32). The client
sends this request to its local gateway system, which is the NAT router. Upon
receipt of the packets that make up this request, the NAT router examines the
packets and changes the source IP address to that of the NAT router's own
external address (say, 10.34.176.7) and sends the packets on their way. The Web
server believes that the packets came from the NAT router, and so addresses its
reply to the NAT router. When the NAT router receives this reply, it recognizes
it as a reply to the request from 192.168.9.32, and so it reverses the process,
changing the destination address of the reply packets and passing them on to
the client. This process is illustrated in
all goes well, neither the client nor the server knows that NAT was involved,
so network programs don't need to be rewritten to support NAT.Some forms of NAT, and in particular IP
masquerading, provide an added benefit: automatic firewall-like protection of
the private network. Because the outside world sees just one IP address,
outside systems cannot initiate normal direct connections to the internal
computers. Only reply packets to connections initiated by clients within the
NAT network can reach the clients. For this reason, some NAT products,
particularly for home broadband users, are marketed as firewalls, but the two
are slightly different.
Figure 25.3. NAT involves
modifying TCP/IP packets so that addresses are altered in one way or another.
advantages: The firewall-like protection means that you
can't as easily run externally accessible servers from inside a NAT-protected
network. To do so, you must use port redirection, described in the upcoming
section, "Redirecting Ports with iptables ." Not all protocols react well to NAT. Some, such
as some security tools, embed information on their IP addresses within their
data payloads, sometimes in an encrypted form. Others require servers at both
ends of the connections. Linux's NAT implementation provides explicit support
for some protocols that are tricky for NAT, but if you use videoconferencing or
encryption tools, you may want to do a Web search or experiment to find out if
your tools will work with Linux's NAT.Although it's not strictly a disadvantage of
NAT, you shouldn't rely upon its security features too much. A virus, worm,
Trojan horse, or other local security problem can still launch attacks from
within your network, or use an outgoing connection to allow an outsider access.On the whole, NAT is a very useful tool for
connecting many computers to a wider network using a single IP address, or for
performing other tricks that involve the shuffling of IP addresses.
Setting iptables NAT Options
Linux's NAT features are contained within a
separate table from the filter table described in earlier sections of this chapter. In particular,
NAT resides in the nat table. This table, like the filter table, consists of
three chains: PREROUTING , POSTROUTING , and OUTPUT . Despite having the same name, the OUTPUT chain in the nat table is
different from the OUTPUT chain in the filter table. Enabling NAT can be done by typing two commands: # iptables -t nat -A POSTROUTING -o external-interface -j \ MASQUERADE # echo "1" > /proc/sys/net/ipv4/ip_forward
NOTE
align=left border=0> You may need to type modprobe iptable_nat before the iptables command to load the NAT module into the kernel.
In the first command, external-interface is the name of the external network interface, such as ppp0 or eth1 . This
command tells Linux to perform IP masquerading on all routed network traffic. The
second command enables routing in the Linux kernel (you'd use the same command
to enable non-NAT routing features).It's common to enable firewall features, as
described earlier in this chapter in the section "
from direct attacks isn't much of an issue in this situation, but you should
protect the NAT router from attacks on itself, and you should also limit
external access from within your network. Even if you're the only user, it's
possible that a virus, worm, or Trojan horse could try to initiate an
undesirable external access, so you should limit outgoing packets. You can also
use stateful inspection to block attempts to hijack connections made from
inside your network. You can enter the NAT commands in the same script you use
to activate your firewall features.If at all possible, your NAT router should
run no servers. If a server running on a NAT router is compromised, it can be
used to compromise the rest of your network. In fact, you can install Linux on
an old computer and use it as nothing but a NAT router for a small network. Even
an old 80486 system should suffice.
