• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Nad710   Network Address Translation

Nad710 Network Address Translation



Network Address Translation

Network Address Translation



Total Views
Views on SlideShare
Embed Views



1 Embed 2

http://www.slideshare.net 2



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Nad710   Network Address Translation Nad710 Network Address Translation Presentation Transcript

    • NAD710 - Introduction to Networks Using Linux   Network Address Translation May 28, 2003 Professor Tom Mavroidis
    • Introduction IP Internet has had two most significant problems:
      • IP address depletion
      • Scaling in routing
      • CIDR (Classless Inter Domain Routing )
      The first short-term solution was: Two types of solutions proposed: short-term and long-term
    • The long-term solutions consist of various proposals for new Internet protocols with larger addresses (IPv6) When CIDR failed to further maintain the IP internet structure, there came another proposal : N A T NAT is not a very far reaching or long term solution But at least it is very fast, provides extra time until better solutions are designed and almost independent from the outer networks. Proposals
    • When is a NAT Solution Required ?
      • If you have an intranet with non-routable addresses.
      • You require a very limited number of IP addresses for inbound connectivity or have a limited number of globally unique IP addresses from your ISP.
      • You want the addresses within a stub domain to be used by any other stub domains.
      • You prefer not to use proxy servers but would rather have a more general address domain.
      • do not want to pay more to your ISP just for outbound connectivity
    • NAT is translation of either a subset or all of the IP addresses in a sub domain to globally unique address(es). From an operational point of view, it is a function imposed on the router. That is a router on the gateway border to be configured as a Network Address Translator. What is NAT?
      • Static Address Translation:
      • m:n translation, m,n>=1 and m=n
      • Dynamic Address Translation:
      • m:n translation, m>=1 and m>=n
      • IP Masquerading:
      • m:n translation, m>=1 and n=1
      • Where:
      • m=number of IP’s to be translated
      • n=number of IP’s available for translation
      Three Main Implementations
    • RFC 1631 RFC 2694
      • Basic definitions
      • Address spaces
      • Routing across NAT
      • Header and checksum manipulations
      • DNS Extensions to NAT
      • Private networks with/without DNS servers
      • Incoming and outgoing name lookup queries
      The RFC’s are as follows
    • IP chains implementation
      • Three permanent chains: input – forward – output.
      • Custom chains can be added.
      • The order of chains is important.
      • Basic communication rules and connectivity must be preserved (ICMP group of messages are vital)
      • Special care must be taken for protocols using more than one port (ftp, irc, realaudio etc..)
      • Logging must be limited and maintained to prevent overflows
      • Originated in the 2.1.102. to 2.2.x kernel
    • IP chains flow of events: Local processes CRC INPUT chain Inbound packet OK Malformed? garbage yes error Deny-reject Accept packet Routing algorithm Local destination Outbound packet Malformed? forwarded packet no no FORWARD chain Deny-reject yes Malformed? yes Outbound packet no OUTPUT chain Deny-reject Outbound packet
    • Enable IP forwarding for the kernel Execute: echo “1” > /proc/sys/net/ipv4/ip_forward Or make it permanent ( persistent between boots ) with assigning the variable IP_FORWARD = yes in /etc/sysconfig/sysctl file This will ensure basic router functionality Use /sbin/ipchains-save > afilename to save the rules Use /sbin/ipchains-restore < afilename to restore the rules To get this thing going
    • IP chains syntax ipchains –[flags] [input | outout | forward | custom_chain] [options] [action] ipchains –M [-L | -S] [options] A very simple example with IP Masquerading: ROUTER WITH NAT eth1 eth0 Internet Internal net
    • IP tables with Netfilter
      • Built into kernel
      • Three tables: filter - nat – mangle
      • Eight chains for three tables:
      • filter / INPUT , filter / FORWARD , filter / OUTPUT
      • nat / PREROUTING , nat / OUTPUT , nat / POSTROUTING
      • mangle / PREROUTING , mangle / OUTPUT
      • Connection tracking
      • Higher level abstraction and built-in functionality for N A T.
      • Kernel 2.4.x or higher
      • Three built-in chains: INPUT – FORWARD - OUTPUT
      Filter table: Local processes Routing algorithm FORWARD chain OUTPUT chain INPUT chain Inbound packet Outbound packet INBOUND PACKET FLOW INBOUND PACKET FLOW FROM A LOCAL PROCESS
      • Three built-in chains:
      nat table: Local processes Routing algorithm POSTROUTING chain OUTPUT chain PREROUTING chain Inbound packet Outbound packet INBOUND PACKET FLOW INBOUND PACKET FLOW FROM A LOCAL PROCESS
      • Two built-in chains: PREROUTING – OUTPUT
      mangle table: Local processes Routing algorithm OUTPUT chain PREROUTING chain Inbound packet Outbound packet INBOUND PACKET FLOW INBOUND PACKET FLOW FROM A LOCAL PROCESS
    • IP tables syntax iptables –[flags] [chain] [options [extentions] ] [action] Syntax and examples: A very simple example with Static IP Translation: ROUTER WITH NAT eth1 eth0 www ftp Internet Internal net
    • 192.168.0 192.168.1 RedHat 6.2 RedHat 6.2 ROUTER running SuSE 8.0 Windows 98 Windows 98 10 mb/s repeater 100 mb/s switch
    • ROUTER with NAT running SuSE 8.0 192.168.0 192.168.1 internet Windows 98 with NAT ppp RedHat 6.2 RedHat 6.2 Windows 98 100 mb/s switch 10 mb/s repeater
    • Why – Why not?
      • Good short term solution
      • Can be installed incrementally – a few changes needed
      • No special infrastructure needed
      • Economical solution
      • Unexpected-unstable traffic load, bandwidth constraints.
      • The more the addresses the more there is a probability of mis-addressing.
      • Does not fit with certain applications.
      • Identity of hosts screened (may be a plus or a minus)
      • DNS incompatibility issues
    • Bibliography:
      • Presentation Submission by Haulk Madenciaglu
      • Computer Bits August 1997 Vol 7 No.8
      • Network Address Translation by Ted Mittelstaedt
      • RFC 1631 by K. Egevang and P.Francis
      • RFC 2694 by P. Akkiraju and A. Heffernan
      • IP NAT by Michael Hasenstein 1997
      • http://www.suse.de/~mha/HyperNews/get/linux-ip-nat.html
      • Linux TCP/IP Network Administration by S. Mann 2002 PHI