IPTABLES (NAT & PAT)

What is IPTABLES NAT and PAT ?

Easy and simple steps to learn about iptables NAT concept and real time NAT rules to build Linux based router / firewall.

Generally, the request received on Public IP, forwarding to a private IP address behind the firewall is called NAT (Network Address Translation).

Ex:

Outside Request -> public IP, eth1 “nat” to a private IP eth0 (internal network)
Inside Request -> private IP, eth0 “nat” to a public IP eth1 (external)

In case, the request received on public IP for a particular port, forwarding the request to private IP behind the firewall on same port or user define port is called PAT (port address translation).

Network Address Translation, there are two types of NAT tables.  With our guide we are going to cover following topics.

1. PAT: – Port Address Translation

2. NAT: – Network Address Translation

3. Useful commands

Note: Source NAT (SNAT) and destination NAT (DNAT).

POSTROUTING : Request from internal network (inside) to external network (outside)

Ex: – Let’s assume that you have a Linux firewall with 2 network cards assigned eth0 : 192.168.1.20 and eth1: Public IP(SNAT:Source NAT)

Allowing internet access from this gateway to internal network (192.168.1.0/24) using a NAT table.

PREROUTING : Request from external network (outside) to internal network (inside)

Ex: Let’s assume that you have a Linux firewall with 2 network cards assigned eth0 : 192.168.1.20 and eth1: Public IP (DNAT: destination NAT).

The request received on the public IP of the firewall and forward the request to one of the internal network IP Address.

Note: Before you start writing NAT rules make sure to enable IP forwarding to allow packets forwarding between public and private interfaces.

Modify net.ipv4.ip_forward = 1

#vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

Save and Exit!

OR

#echo 1 > /proc/sys/net/ipv4/ip_forward

Reload sysctl configuration

#sysctl -p

1. PAT: – Port Address Translation

Port Address Translation, this will allow you to map your local devices with a single public IP address on different port for each device. The purpose of PAT to conserve the public IP Address.

Rules :

1.1 Redirect the request received on public IP for port 80 to the private IP of the inside network

#iptables -t nat -I PREROUTING -p tcp -d 111.22.44.12 –dport 80 -j DNAT –to-destination 192.168.0.106

Redirect the request received on public IP for port 80 to the private IP of the inside network on different port.

#iptables -t nat -A PREROUTING -p tcp -d 111.22.44.12 –dport 80 -j DNAT –to-destination 192.168.0.106:9090

Note:
-DNAT    : Destination NAT(PREROUTING)
-t                : NAT table entry
-A               : Insert a rule in NAT table
–dport     : Destination port.
–to-desintation : Destination IP and associated port (private IP from inside network)

1.2 Redirect the request received on Public IP for any port to the private IP of the inside network.

#iptables -t nat -I PREROUTING -d 111.22.44.12 -j DNAT –to-destination 192.168.0.106

1.3 Transparent Proxy, redirect the request received from local network on 80 and eth0 (private network interface), redirect to proxy port (3128)

#iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

Note :
-j REDIRECT : redirect to different port the request received on.

2. NAT: – Network Address Translation

Sending all the request received on public IP to the private IP of inside the network.

2.1 Redirect the request received on Public IP for any port to the private IP of inside the network.

#iptables -t nat -A PREROUTING -d 111.22.44.12 -j DNAT –to-destination 192.168.0.106

2.2 Allowing internet access to the internal network through public IP

We assume that you have a Linux machine with two network cards(eth0, Private IP & eth1, Public IP). POSTROUTING and SNAT used to allow internet access to 192.168.1.0/24(inside network) via a public IP i.e., 111.22.44.12.

eth0:192.168.1.254
eth1: Public IP

#iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT –to 111.22.44.12

Note:
-SNAT : Source NAT(POSTROUTING)
-J : Jump to an action, Packet received from 192.168.1.0/24 forward it to 111.22.44.12.
2.3 If you have a dynamic public IP then use MASQUERADE.

#iptables -t nat -A POSTROUTING –out-interface eth1 -j MASQUERADE

#iptables -A FORWARD -i eth0 -j ACCEPT

#echo 1 > /proc/sys/net/ipv4/ip_forward

Reload sysctl configuration
#sysctl -p

3. Useful commands

List the rules of NAT table

#iptables -L -t nat

Flush the rules of NAT table

#iptables -F -t nat

Delete the POSTROUTING rule from the NAT table, specify the rulenumber

#iptables -t nat -D POSTROUTING 1

Delete the PREROUTING rule from the NAT table, specify the rulenumber

#iptables -t nat -D PREROUTING 1

Note :
-D : Delete the rule
-PREROUTING : Outside to inside
-POSTROUTING : Onside to outside

Both comments and pings are currently closed.

Comments are closed.

Copyright ©Solutions@Experts.com
Copyright © NewWpThemes Techmark Solutions - www.techmarksolutions.co.uk