Your SlideShare is downloading. ×
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Nad710   Network Address Translation
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Nad710 Network Address Translation

668

Published on

Network Address Translation

Network Address Translation

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
668
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. NAD710 - Introduction to Networks Using Linux   Network Address Translation May 28, 2003 Professor Tom Mavroidis
  • 2. Introduction IP Internet has had two most significant problems:
    • IP address depletion
    • Scaling in routing
    • CIDR (Classless Inter Domain Routing )
    The first short-term solution was: Two types of solutions proposed: short-term and long-term
  • 3. The long-term solutions consist of various proposals for new Internet protocols with larger addresses (IPv6) When CIDR failed to further maintain the IP internet structure, there came another proposal : N A T NAT is not a very far reaching or long term solution But at least it is very fast, provides extra time until better solutions are designed and almost independent from the outer networks. Proposals
  • 4. When is a NAT Solution Required ?
    • If you have an intranet with non-routable addresses.
    • You require a very limited number of IP addresses for inbound connectivity or have a limited number of globally unique IP addresses from your ISP.
    • You want the addresses within a stub domain to be used by any other stub domains.
    • You prefer not to use proxy servers but would rather have a more general address domain.
    • do not want to pay more to your ISP just for outbound connectivity
  • 5. NAT is translation of either a subset or all of the IP addresses in a sub domain to globally unique address(es). From an operational point of view, it is a function imposed on the router. That is a router on the gateway border to be configured as a Network Address Translator. What is NAT?
  • 6.
    • Static Address Translation:
    • m:n translation, m,n>=1 and m=n
    • Dynamic Address Translation:
    • m:n translation, m>=1 and m>=n
    • IP Masquerading:
    • m:n translation, m>=1 and n=1
    • Where:
    • m=number of IP’s to be translated
    • n=number of IP’s available for translation
    Three Main Implementations
  • 7. RFC 1631 RFC 2694
    • Basic definitions
    • Address spaces
    • Routing across NAT
    • Header and checksum manipulations
    • DNS Extensions to NAT
    • Private networks with/without DNS servers
    • Incoming and outgoing name lookup queries
    The RFC’s are as follows
  • 8. IP chains implementation
    • Three permanent chains: input – forward – output.
    • Custom chains can be added.
    • The order of chains is important.
    • Basic communication rules and connectivity must be preserved (ICMP group of messages are vital)
    • Special care must be taken for protocols using more than one port (ftp, irc, realaudio etc..)
    • Logging must be limited and maintained to prevent overflows
    • Originated in the 2.1.102. to 2.2.x kernel
  • 9. IP chains flow of events: Local processes CRC INPUT chain Inbound packet OK Malformed? garbage yes error Deny-reject Accept packet Routing algorithm Local destination Outbound packet Malformed? forwarded packet no no FORWARD chain Deny-reject yes Malformed? yes Outbound packet no OUTPUT chain Deny-reject Outbound packet
  • 10. Enable IP forwarding for the kernel Execute: echo “1” > /proc/sys/net/ipv4/ip_forward Or make it permanent ( persistent between boots ) with assigning the variable IP_FORWARD = yes in /etc/sysconfig/sysctl file This will ensure basic router functionality Use /sbin/ipchains-save > afilename to save the rules Use /sbin/ipchains-restore < afilename to restore the rules To get this thing going
  • 11. IP chains syntax ipchains –[flags] [input | outout | forward | custom_chain] [options] [action] ipchains –M [-L | -S] [options] A very simple example with IP Masquerading: ROUTER WITH NAT 10.1.1.1 eth1 202.7.1.19 eth0 Internet Internal net 10.0.0.0
  • 12. IP tables with Netfilter
    • Built into kernel
    • Three tables: filter - nat – mangle
    • Eight chains for three tables:
    • filter / INPUT , filter / FORWARD , filter / OUTPUT
    • nat / PREROUTING , nat / OUTPUT , nat / POSTROUTING
    • mangle / PREROUTING , mangle / OUTPUT
    • Connection tracking
    • Higher level abstraction and built-in functionality for N A T.
    • Kernel 2.4.x or higher
  • 13.
    • Three built-in chains: INPUT – FORWARD - OUTPUT
    Filter table: Local processes Routing algorithm FORWARD chain OUTPUT chain INPUT chain Inbound packet Outbound packet INBOUND PACKET FLOW INBOUND PACKET FLOW FROM A LOCAL PROCESS
  • 14.
    • Three built-in chains:
    • PREROUTING – OUTPUT -POSTROUTING
    nat table: Local processes Routing algorithm POSTROUTING chain OUTPUT chain PREROUTING chain Inbound packet Outbound packet INBOUND PACKET FLOW INBOUND PACKET FLOW FROM A LOCAL PROCESS
  • 15.
    • Two built-in chains: PREROUTING – OUTPUT
    mangle table: Local processes Routing algorithm OUTPUT chain PREROUTING chain Inbound packet Outbound packet INBOUND PACKET FLOW INBOUND PACKET FLOW FROM A LOCAL PROCESS
  • 16. IP tables syntax iptables –[flags] [chain] [options [extentions] ] [action] Syntax and examples: A very simple example with Static IP Translation: ROUTER WITH NAT 10.1.1.1 eth1 202.7.1.19 eth0 www ftp 10.1.1.4 10.1.1.5 Internet Internal net 10.0.0.0/8
  • 17. 192.168.0.1 192.168.0.14 192.168.1.15 192.168.0 192.168.1 192.168.1.13 192.168.0.16 192.168.1.16 RedHat 6.2 RedHat 6.2 ROUTER running SuSE 8.0 Windows 98 Windows 98 10 mb/s repeater 100 mb/s switch
  • 18. 192.168.0.1 192.168.0.14 192.168.1.15 ROUTER with NAT running SuSE 8.0 192.168.0 192.168.1 192.168.1.13 192.168.0.16 192.168.0.15 192.168.0.13 192.168.1.16 internet Windows 98 with NAT ppp RedHat 6.2 RedHat 6.2 Windows 98 100 mb/s switch 10 mb/s repeater
  • 19. Why – Why not?
    • Good short term solution
    • Can be installed incrementally – a few changes needed
    • No special infrastructure needed
    • Economical solution
    • Unexpected-unstable traffic load, bandwidth constraints.
    • The more the addresses the more there is a probability of mis-addressing.
    • Does not fit with certain applications.
    • Identity of hosts screened (may be a plus or a minus)
    • DNS incompatibility issues
  • 20. Bibliography:
    • Presentation Submission by Haulk Madenciaglu
    • Computer Bits August 1997 Vol 7 No.8
    • Network Address Translation by Ted Mittelstaedt
    • RFC 1631 by K. Egevang and P.Francis
    • RFC 2694 by P. Akkiraju and A. Heffernan
    • IP NAT by Michael Hasenstein 1997
    • http://www.suse.de/~mha/HyperNews/get/linux-ip-nat.html
    • Linux TCP/IP Network Administration by S. Mann 2002 PHI

×