Network Address Translation (NAT)
NAT, as described in RFC1631, has many forms:
- overloaded NAT - maps multiple unroutable
IP addresses to a single registered (routable) IP address by using
different ports (as just seen).
This is variously known as PAT (Port Address Translation),
single address NAT or port-level multiplexed NAT,
- dynamic NAT - maps an unroutable IP address to one of
a managed group of registered IP addresses, and
- static NAT - maps an unroutable IP address to a
registered IP address on a one-to-one basis.
This is required when a device needs to be accessible from
outside the network, such as a web- or FTP-server.
Supporting NAT with iptables
iptables supports NAT very simply.
Consider a home system with a ppp external connection,
and an Ethernet internal connection:
EXT=ppp0
PPP_IP=130.95.44.44
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
iptables -P FORWARD DROP
# NAT everything heading out the external interface
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 \
-o $EXT -j SNAT --to-source $PPP_IP
#This enables ip forwarding, and thus by extension, NAT
echo 1 > /proc/sys/net/ipv4/ip_forward
|
CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p27, 15th May 2024.
|
CITS3002