Linux 2.4 Nat Howto Simplified Chinese version Rusty Russell@lisms.samba.org owned! NetManForever@yahoo.com provides Traditional references to this document explains how to camouflage, transparent proxy, port forwarding, and Linux 2.4 kernel other types of network address conversion (Network
Address Translations. 1. Introduction 2. Official sites and lists 2.1 What is NAT? 2.2 Why do I need NAT? 3. Two types of NAT 4. Quick conversion from 2.0 and 2.2 kernels 4.1 I just want to disguise! Help! 4.2 About IPMASQADM 5. NAT can control what 5.1 Make simple selection with iptables 5.2 See which packages should be split (Mangle) 6. Talk about how to split the package 6.1 Source address NAT 6.1.1 Camouflage 6.2 destination address NAT 6.2.1 Redirect 6.3 Deep Mapping 6.3.1 Selection of Multiple Addresses in a range 6.3.2 Empty NAT Mapping 6.3.3 Standard NAT Behavior 6.3.4 Internal Source Port Map 6.3.5 How does NAT failed? ? 6.3.6 Multi-Mapping, Overlap, and Conflict 6.3.7 Modify the target address of the local generated connection 7. Specific protocol 8. About NAT WARNING 9. The source address NAT and the selection 10. Target address NAT 11 in the same network. Thanks 1. Introduction Welcome, dear readers. You will have to go deep into a fascinating (sometimes a bored) NAT world: network address transformation, this HOWTO can be your Linux2.4 core and later
Accurate guide. In Linux2.4 (kernel version), a part of "Netfilter" is introduced to split (IP) packet. He last
The layer provides NAT, which is completely relying entirely on the previous kernel production. (Translator Note: Mangle really can't find any suitable translation, sorry) (c) 2000 Paul `Rusty 'Russell. Licensed Under The GNU GPL.
-------------------------------------------------- ------------------------------ 2, official sites and lists There are three official sites here: o Thanks to FileWatcher http: / /Netfilter.FileWatcher.org.o Thanks to the Samba Team and SGI http: //netfilter.samba.org.o Thanks to Harald Welte http://netfilter.gnumonks.org. You can access all relevant sites through the following sites. Http://www.netfilter.org and http://www.iptables.org The following is the NetFilter official mailing list http://www.netfilter.org/contact.html#list.
-------------------------------------------------- ------------------------------ 2, 1 What is Network Address Translation? Usually, the (IP) package in the network is set from their source (address) (such as your computer), to their destination (such as www.gnums.org), will pass many different connectivity (LINKs): For example, there are 19 in Australia. These connectors will not really modify you
Package: They just pass them as original. (Translator Note: The links here should be considered all network nodes, including hosts, routers, and more. Usually, routers are not originally transmitted, at least
One point will modify: TTL) If these connections have a NAT, then it (we) will modify the source or target (address) of their packets. As you guess, this is
Non-system design is like that, but NAT has made some things. Usually NAT connection (host, server, router) will remember how it splits
In the package, while the bag of another response is passed, it will be reversed to the response package, so the world is still running. (Translator Note: This paragraph Mangle should imagine more appropriately)
-------------------------------------------------- ------------------------------ 2, 2 I want NAT? In the perfect world, you don't need it. At the same time, the main reason is: When using the modem to connect the Internet, most of the ISP will only give you an IP address, you can send any source address pack you want to send, but only respond (ISP
Giving you) the address of the address will return. If you want to have multiple different machines (such as a home network), you need NAT. This is now the most features of NAT, the "masquerading" of the Linux world is very famous, I call Snat (Snat Source Nat)
, Source address translation), because you have changed the source address of the first package. (Translator: About the first package of IP datagram, see each TCP / IP book) Multi (heavy) server Sometimes you want to change the target address of the package into the network (routing). Often, this is because (like the example above), you only have an IP address,
But you want everyone to enter the interior through the "true" IP address. If you rewrite the target address of the entered the package, there is no problem.
This NAT is called port forwarding in previous Linux versions. A common variant is load balancing and mapping on a set of machines. If you want to make a strict proportion limit, you may need to refer to Linux Virtual
Server. Http://linuxvirtualser.org Transparent agent Sometimes you may want to pass your Linux package to this machine. This requires a transparent agent: the agent is located in your network and outside
A process between the world helps both communicate. The reason is called transparent, it is your network at all, I don't know if he is talking to the agent, of course until the agent does not work properly. Squid can be configured to do this, in the previous Linux version it is referred to as a redirected or transparent agent.
-------------------------------------------------- ------------------------------ 3, NAT I have divided NAT into two different types: source NAT (SNAT) and Target NAT (DNAT). (Translator Note: The following no longer translate Snat and DNAT, use Source directly
NAT and DESTINATION NAT Source Nat refers to the source address of the first package: That is, change the source of the connection. Source Nat will do the last moment before packing out
Good post-routing (action), camouflage is a special form of SNAT. Destination NAT refers to the target address that modifies the first package: That is to say, change the destination of the connection. Destination Nat is always in the package
Before (immediately), Before Routing is performed. Port forwarding, load balancing and transparent agents are DNAT.
-------------------------------------------------- ---------------------------- 4, fast conversions from 2.0 and 2.2 kernels If you are still from 2.0 (iPFWADM) I am sorry for the transfer of 2.2 (ipchains). But this is also a message that is half-censoon.
. First, you can easily use ipchains and ipfwadm, just like it. However, you need to install the latest release NetFilter
"Ipchains.o" or "ipfwadm.o" kernel module. They are mutually exclusive (you will be warned), and you can't and any other NetFilter module
Combined. Once this one of this module is loaded, you can use ipchains and ipfwadm as previously, but there is still the following difference: use ipchains -m -s, or set the camouflage timeout with IPFWADM -M -S. This is not the new NAT architecture because the timeout has been transferred to the new NAT architecture.
Can do anything. In the detailed camouflage list, init_seq, delta and previous_delat fields are always zero. Zero and list counters are no longer valid: the counter cannot be zeroed. This type of backwardly compatible part may not effectively cooperate with most connections: Do not use developers in your company's gateway to pay attention: Whether or not to use a disguise, you can now bind port between 61000 - 65095. The previous camouflage code occupies this part of the port, so it cannot be used. "GetSockName" that has not been text, the transparent agent can be used to find the true destination address of the connection that is no longer working. "Bind-to-Foreign-Address" has not yet been enabled: This idea for complete transparency agents.
-------------------------------------------------- ------------------------------ 4, 1 I just want to disguise! Help! This is mostwee you want. If you use the PPP dial-up to get the IP (if you don't know, it should be Yes) You may just want to tell you
The machine, all the packages from the internal network, you have to look like a package on the PPP connection server. # Loading the NAT module (which replaces other) ModProbe iptable_nat # in the NAT table (-t nat), the route PostRouting Add a rule (-a) # All packets sent by PPP0 (-o PPP0) will be disguised ( -j masquerade). iptables -t nat -a postrouting -o ppp0 -j masquerade # Turn on IP forwarding Echo 1> / proc / sys / net / ipv4 / ip_forward Notice At this time you have not made any packages: If you need, see The Packet Filtering Howto. -------------------------------------------------- ------------------------------ 4, 2 So ipmasqadm? This is completely dependent on the user, so I don't worry about backward compatibility. You can use "iptables -t nat" to do port forwarding. E.g,
In Linux2.2 you have to do: # Turning the TCP packet pointing to 1.2.3.4 8080 port to 192.168.1.1 80-port IPMASQADM portfw -a -p tcp -L 1.2.3.4 8080 -R 192.168.1.1 80 Now you can do this: # 2.4 kernel, join a rule in the NAT (-t nat) table, point to the Route (-D 1.2.3.4) 8080 port before routing (--dport 8080) The TCP package (-P TCP) target address (-J DNAT) # is redirected to 80 ports of 192.168.1.1 (TO 192.168.1.1: 8). iptables -a preording -t nat -p tcp -d 1.2.3.4 --dport 8080 -j dnat --to 192.168.1.1:80
-------------------------------------------------- ------------------------------ 5, NAT can control what you need to create NAT rules to tell the kernel which connection will be changed And how to change. To do this, we have to use a lot everywhere.
The iptables tool and tells it to modify the NAT table with the specified "-t NAT" option. The NAT rule table contains three lists called "chain": each rule checks the package in order until there is a match. Two of them are called preording.
Used for Destination Nat, when the package is entered), postrouting (check when Source Nat, package is left), the third is called Output,
It can be ignored here. If I have enough artistic days, the following segments will accurately explain the above concept: _____ _____ / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / / -> postrol -----> / d-nat / [decision] / s-nat / | ^ | | | | | --------> Local process --- --- Every point described above, when we view the package of connectivity (middle), if it is a new connection, we look at the corresponding chain in the NAT table to see what you need to do. The result will be used as a reaction to all of this connection. (Translator Note: The connection here refers to a connection such as an HTTP session, rather than a physically routed, node)
-------------------------------------------------- ------------------------------ 5, 1 Use iptables to make simple selection below to list some of the standard options for iptables. All bilateral bars (-) options can be abbreviated. As long as iptables can use them to others
Option is enough to distinguish it. If your kernel supports iptables in module, you need to load with commands: insmod ip_tables
IP_TABLES.O This is the most important option form selection, "- t". For all NAT, you need to use '-t nat' to specify the NAT table. Secondly, '-a',
Add a new rule to the end of the chain (for example, '-a postrouting' to the postrouting chain), or '-i' from the beginning to insert a rule (for example
'-I preording'). You can specify the source (address) of the package you want to make NAT ('- s' or '--source') and the purpose (address) ('- d' or '--destination'
). These two options can be with a single IP address (eg 192.168.1.1), one name (such as www.gnumonks.org), or a network address
(For example, 192.168.1.0/25.255.255.0 [Translator: These two are equivalent, but the method is different]). You can specify a matching interface that enters or feeds. However, it can be specified depends on the chain you want to write to the rules: The prerouting chain You can only choose to enter the interface, and PostRouting can only choose to send the interface. If you use a wrong, iptables will give an error.
-------------------------------------------------- ------------------------------ 5, 2 about which bags should be selected to split (Mangle), I said above. You can specify the source address and destination address. If you ignore the source address option, all source addresses will be matched, and like ignore
Device, all target addresses will be matched. You can also marke a specified protocol ('-P' or '-Protocol'), such as TCP or UDP; then only the package of such protocols will match. so
The main reason for doing is the specified agreement, you can add additional options: Specify the '- Source-Port' source port and '--Destination-port' destination
The mouth option (can be abbreviated as '-sport' and '-dport'). These options allow you to match only those specific source ports and target ports. These do not affect the redirection web request (TCP 80 or 8080 port)
Other packs are very useful. These options must be followed behind the '-P' option (this may have a certain impact on the connection library loaded by the protocol). You can use the port number, or come
Self / etc / serverices file (port) name. All of these you can make a detailed manual in detail (Man iptables). (Translator Note
: See iptables man point Chinese version)
-------------------------------------------------- ------------------------------ 6, talk about how to split the package, now we know how to choose what we want to split Package. In order to complete our rules, we need to tell the kernel to tell the kernel we want to do it.
-------------------------------------------------- ------------------------------ 6, 1 Source Nat You want to make Source Nat, change the source address of the connection. This is done in the postrouiing chain, just at the last moment of it. This is a heavy
For details, all anything on Linux local machine (routing, package filtering) will see the package that has not changed. Also means '-o' (send out
The port) option is available. Use the specified '-j snat' to perform Source Nat, '- to-source' option Specify one or a paragraph IP address, (plus) one or a selection port
No. (only UDP and TCP protocol). # # 改 The source address is 1.2.3.4 # iptables -t nat -a postrouting -o eth0 -j snat --to 1.2.3.4 # Change the source address of 1.2.3.4, 1.2.3.5 or 1.2.3.6 # iptables -t nat - A postrouting -o eth0 -j snat --to 1.2.3.4-1.2.3.6 # Change the source address is 1.2.3.4, port 1-1023 # iptables -t nat -a postrol -p tcp -o eth0 -j snat - To 1.2.3.4:1-1023 -------------------------------------------------------------------------------------------------------------------- -------------------------------------- 6, 1, 1 case of camouflage Source Nat Cyups. It can only be used to dynamically assign an IP address. For example, standard dialing services (static IP address please use
Snat). You don't have to specify the source address for IP camouflage. It uses the package (address) that the package (address) as the source address. But more importantly, if that line
If the road is closed, the connection (no matter how it is lost), it will be forgotten, meaning that the package returned after the new IP will be a bit problem (refer to those
The package of the package issued before the line should be dropped. # 装 所有 所有 东 东 西 # iptables -t nat -a postrouting -o ppp0 -j masquerade
-------------------------------------------------- ------------------------------ 6, 2 Destination NAT is used for the preording chain, and the bag just entered. Means that anything on this machine is all "real" destination (translator's note:
Changed the address of the destination). It also means '-i' (entry) available. Use the specified '-j dnat' to perform the Destination NAT, '- to-Destination' option specifies one or one IP address, (plus) one or one
Segment selection port numbers (only for UDP and TCP protocols). # Change the target address is 5.6.7.8 # iptables -t nat -a preording -i eth0 -j dnat --to 5.6.7.8 # Change the target address is 5.6.7.8, 5.6.7.9 or 5.6.7.10 # iptables -t nat - A preording -i eth0 -j dnat --to 5.6.7.8-5.6.7.7.10 # Change the target address of the web transmission is 5.6.7.8, 8080 port # iptables -t nat -a preording -p TCP --Dport 80 -i Eth0 -J DNAT - TO 5.6.7.8:8080
-------------------------------------------------- ---------------------------- 6, 2, 1 Redirect Destination NAT is called redirection. It is equivalent to a simple and convenient form of DNAT to enter the interface. # Send the 100-port of the 80 port to our Squid agent # iptables -t nat -a preording -i eth1 -p tcp --dport 80 -j redirect --to-port 3128 Note Squid needs to be configured Transparent agent.
-------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Detail. -------------------------------------------------- ------------------------------ 6, 3, 1 Selection of multiple addresses in one range If specified the scope of the IP address, Then the machine chooses the least use of the current use of the IP address. This achieves the most simple load balance.
-------------------------------------------------- ---------------------------- 6, 3, 2 Establish an empty NAT mapping. You can use the '-j accept' target to make the connection pass, no NAT participation.
-------------------------------------------------- ------------------------------ 6, 3, 3 Standard NAT behavior is based on the intrinsic constraint rules given by users, The minimum change is made. That is, unless it is necessary to do port remapping.
-------------------------------------------------- ---------------------------- 6, 3, 4 Internal source port mapping If other connections cover a connection, even if this The connection does not need to use NAT, and the source address conversion will still happen. Considering IP camouflage, this situation is not
Often common. 1, a web connection from 192.168.1.1 1024 port to www.netscape.com 80 port, which is disguised into IP addresses (1.2.3.4) 3, IP camouflage servers attempt to establish a from WWW. Netscape.com 80 ports to 1.2.3.4 1024 ports WEB connection (its own external interface IP
Site) 4, the NAT code will modify the source address of the second connection to 1025, which will not conflict. When this internal source address mapping occurs, the port is divided into three ports 512 to 1023 of the ports 512 to 1023, and the internal ports of the ports 512 to 1023 below are not mapped (other than this) other types.
-------------------------------------------------- ------------------------------ 6, 3, 5 What if the NAT failed? If you can't follow the user request, create a separate mapping for the connection, (package) will be deleted. This also applies to those who cannot be classified as any connection.
Bacardrule, because they are malformed, or host memory overflow.
-------------------------------------------------- ------------------------------ 6, 3, 6 Multi-map, overlap and conflict Your NAT rules can map the package to The same range. The NAT code is smart to avoid their conflict. Therefore, two rules will be 192.168.1.1 and
The source address map of 192.168.1.2 is mapped to 1.2.3.4 is no problem. Moreover, you can map to the true, already used IP address, as long as those addresses are passed through this server. So if you assign to a network
(1.2.3.0/24), but there is an internal network used these addresses, the other is private address 192.168.1.0/24, you can easily NAT
From 192.168.1.0 (source address) of 1.2.3.0, do not worry about conflicts. # iptables -t nat -a postrouting -s 192.168.1.0/24 -o Eth1 -j SNAT - TO 1.2.3.0/24 The same logic is also applicable to the address of the NAT server itself. This is the reason for camouflage work (by the camouflage package and "true" package from the own body). Even, you can map the same package to many different goals, they will be shared. For example, if you don't want to map anything to 1.2.3.5, you can
To do this: # iptables -t nat -a postrouting -s 192.168.1.0/24 -o Eth1 -j snat - TO 1.2.3.0-1.2.3.4 --to 1.2.3.6
-1.2.3.254
-------------------------------------------------- ---------------------------- 6, 3, 7 Modify the local generated connection target address NAT code allows you to insert DNAT rules Go to the OUTPUT chain, but this is not fully supported in 2.4 (can be used, but must be used in new configuration options, some
The code in the test. So unless someone writes this part of the code in the crazy, I don't believe it will be quickly realized). The current limit is that you can only modify the target address to this machine (for example, '-j DNAT --to 127.0.0.1'), cannot go to any other machine, otherwise
Can it be able to be converted correctly.
-------------------------------------------------- ----------------------------- 7, some agreements do not want to be NAT. These protocols, two extensions must be indicated: one is the connection track of the protocol, one is real NAT. In the released Netfilter, there is available FTP module: ip_conntrack_ftp.o and ip_nat_ftp.o. If you load any module to you
The kernel (or compile), then any NAT regarding the FTP connection is feasible. If not, you can only use passive FTP (Passive FTP)
And if you have some Source Nat, it (referring to FTP) may not work reliably.
-------------------------------------------------- ------------------------------ 8, about NAT warning If you do NAT, all two-way transfer (enter) And send out the network) must pass the NAT server, otherwise the NAT server works may not
by. In particular, the connection tracking code is reorganized, which means not only the connection tracking cannot be reliably, and even all packs cannot pass because
Split was discarded.
-------------------------------------------------- ------------------------------ 9, Source Nat and Route If you have to do Snat, you must pay attention to all machines being Snat The response to the package will be sent to the NAT server. For example, if you map some of the packaged packages
The source address is 1.2.3.4, then the external router must know the address to the NAT server to send the response package. It can be done: 1. If you do Snat for this unit, you don't need to do anything. 2, if you do SNAT to unused addresses in the local LAN (for example, you are mapped to 1.2.3.99, your NAT server needs to be like that address (99) In response to ARP requests as appropriate. The easiest way is to create an IP alias, such as: # ip address add 1.2.3.99 dev eth0 3, if you do Snat for completely different addresses, you must guarantee that the machine arriving by the SNAT will return to the NAT server. If the NAT server is their
The default gateway, then it is already, otherwise you need to release a route (if the routing protocol is run) or manually add route to each machine.
-------------------------------------------------- ------------------------------ 10, the Destination NAT in the same network. If you want to do port to the same network, you need to confirm that all subsequent packages and responses are passed through the NAT server (so they can be modified).
NAT code is now (from 2.4.0-Test6), which will shield the ICMP redirection sent by NAT's package, but the received server will continue to try directly.
Respond to customers. (Will not understand this response) The classic situation is that the internal staff tries to access your "public" web server, and it actually has been dnat to the internal machine from the public address (1.2.3.4)
(192.168.1.1), for example: # iptables -t nat -a preording -d 1.2.3.4 -p TCP - Dport 80 -J DNAT - TO 192.168.1.1 One way is to run an internal DNS server, it knows The true (internal) IP address of your public (external) web server, and forwards all its
He requests an external DNS server. That is to say your web server can record real internal IP addresses. Another way is to let NAT servers map those connected source addresses to itself, allowing the server to respond through it. For example, we can do this (fake
Setting the NAT server internal IP address is 192.168.1.250): # iptables -t nat -a postrouting -d 192.168.1.1 - d 192.168.1.0/24 -p TCP - Dport 80 -J Snat --to
192.168.1.250 Because the PREROUTING rules will be run first, the internal web server, the went to the package has already been determined. We can determine the source IP address.
-------------------------------------------------- ------------------------------ 11. Thanks Thankst to WatchGuard, And David Bonn, Who Believed in The Netfilter IDEA ENOUGH TO Support ME
While I worked on it. and to everyone else who put up with my ranting as i learning
First Thank you first thanks to the idea to think about Netfilter and support my WatchGuard and David Bonn during my work. And all friends who correct for NAT, especially after reading my diary.
