NAD710 - Introduction to Networks Using Linux Network Address Translation May 28, 2003 Professor Tom Mavroidis
Introduction IP Internet has had two most significant problems:
IP address depletion
Scaling in routing
CIDR (Classless Inter Domain Routing )
The first short-term solution was: Two types of solutions proposed: short-term and long-term
The long-term solutions consist of various proposals for new Internet protocols with larger addresses (IPv6) When CIDR failed to further maintain the IP internet structure, there came another proposal : N A T NAT is not a very far reaching or long term solution But at least it is very fast, provides extra time until better solutions are designed and almost independent from the outer networks. Proposals
If you have an intranet with non-routable addresses.
You require a very limited number of IP addresses for inbound connectivity or have a limited number of globally unique IP addresses from your ISP.
You want the addresses within a stub domain to be used by any other stub domains.
You prefer not to use proxy servers but would rather have a more general address domain.
do not want to pay more to your ISP just for outbound connectivity
NAT is translation of either a subset or all of the IP addresses in a sub domain to globally unique address(es). From an operational point of view, it is a function imposed on the router. That is a router on the gateway border to be configured as a Network Address Translator. What is NAT?
Basic communication rules and connectivity must be preserved (ICMP group of messages are vital)
Special care must be taken for protocols using more than one port (ftp, irc, realaudio etc..)
Logging must be limited and maintained to prevent overflows
Originated in the 2.1.102. to 2.2.x kernel
IP chains flow of events: Local processes CRC INPUT chain Inbound packet OK Malformed? garbage yes error Deny-reject Accept packet Routing algorithm Local destination Outbound packet Malformed? forwarded packet no no FORWARD chain Deny-reject yes Malformed? yes Outbound packet no OUTPUT chain Deny-reject Outbound packet
Enable IP forwarding for the kernel Execute: echo “1” > /proc/sys/net/ipv4/ip_forward Or make it permanent ( persistent between boots ) with assigning the variable IP_FORWARD = yes in /etc/sysconfig/sysctl file This will ensure basic router functionality Use /sbin/ipchains-save > afilename to save the rules Use /sbin/ipchains-restore < afilename to restore the rules To get this thing going
IP chains syntax ipchains –[flags] [input | outout | forward | custom_chain] [options] [action] ipchains –M [-L | -S] [options] A very simple example with IP Masquerading: ROUTER WITH NAT 10.1.1.1 eth1 188.8.131.52 eth0 Internet Internal net 10.0.0.0
mangle table: Local processes Routing algorithm OUTPUT chain PREROUTING chain Inbound packet Outbound packet INBOUND PACKET FLOW INBOUND PACKET FLOW FROM A LOCAL PROCESS
IP tables syntax iptables –[flags] [chain] [options [extentions] ] [action] Syntax and examples: A very simple example with Static IP Translation: ROUTER WITH NAT 10.1.1.1 eth1 184.108.40.206 eth0 www ftp 10.1.1.4 10.1.1.5 Internet Internal net 10.0.0.0/8