---------------------------------------------------------------------------------------
..:: The iptables solution for using Static NAT on a Linux box is as follows ::..
---------------------------------------------------------------------------------------
This solution uses IPTABLES and the 2.4 kernel to
create the NAT translations. Another utility that
can be used is iproute2.
The primary references for this information are two
books on routing and firewalling with Linux.
"Linux Routers: A Primer for Network Administrators, 2nd Edition"
by Tony Mancill (ISBN: 0130090263). Tony's web site
for the book is here. Another excellent reference is
"Policy Routing Using Linux" by Matthew G. Marsh
(ISBN: 0672320525). Mattew's web site for the book
is here. Other references to newsgroup and 'email list'
postings are list at the bottom of this page.
For incoming traffic, you can Statically NAT an IP on the
inside to a different IP on the outside with the 'DNAT'
target. If you want to statically NAT the traffic sourcing
from the internal host as it exits the firewall, use the
'SNAT' target.
There are specific rules to be aware of depending on your
NATed address and the IP address on the outside interface.
Two scenarios are covered below.
1. If the outside NAT address is within the same
subnet as the address on the outside
interface of the firewall (12.12.12.0/24 in
this case), you need to create a secondary
IP for the outside address on the firewall's
outside interface.
2. If You have a block of registered (Internet
routable) IP space that is not configured on
the firewall's outside interface, you simply
need to ensure the border router has a route
for the NATed IP (or network) pointing
towards the firewall's outside interface.
-- : Scenario 1 : --
For scenario 1, hosts on the Internet will see the inside
host as 12.12.12.12/24. So the NAT IP for the inside host is
12.12.12.12/24. This IP is within the same subnet that the
firewall's outside interface address is in (12.12.12.0/24).
(figure 1) Therefore you need to configure the NATed IP as a
secondary (or alias) IP address on the outside interface.
The topology for scenario 1
+---------------+
{{ }} | |
{{{ Inet }}}--------| border-router |
{{ }} | |
+---------------+
|\
| \___ 12.12.12.1/24
|
|
| _______ 12.12.12.2/24 (outside, eht0)
| / (secondary IP = 12.12.12.12/24)
|/
+----------------+
Outside | | Outside
~~~~~~~~~~~~~~~~~~ | Linux-firewall | ~~~~~~~~~~~~~~~~~~~~~~~~
Inside | | Inside
+----------------+
|\
| \___ 192.168.1.1/24 (inside, eth1)
|
|
+----------------+ |
| | |
| inside-host |-------+
| | \
+----------------+ \
\
\____ 192.168.1.2/24
Figure 1 : The topology for scenario 1
-- : Configuring the Secondary IP address : --
You can configure the secondary IP with a couple of methods.
Most people use the 'ifconfig' utility. A newer utility which
will accomplish this task and much, much more, is the iproute2
utility.
Here is the syntax for using the iproute2 utility to create
the secondary IP address on the outside interface of the
firewall :
/sbin/ip addr add 12.12.12.12/24 dev eth0 secondary
Visit this link for more information regarding iproute2
iproute2 utility documentation:
IPROUTE2 Utility Suite Howto
-- : iptables Static NAT rules : --
You need two IPTables rules to NAT traffic 'to-and-from' the
internal host in the diagram above (192.168.1.2). These rules
can be used for either of the scenarios discussed above.
This rule NATs incoming traffic destined for 12.12.12.12 to
the internal hosts' IP address of 192.168.1.2
/sbin/iptables -t nat -A PREROUTING -j DNAT -d 12.12.12.12 --to-destination 192.168.1.2
This rule NATs outgoing traffic from the internal host
(192.168.1.2) to a source address of 12.12.12.12
/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.1.2/32 -d 0/0 --to-source 12.12.12.12
-- : Comfirmation of rules output : --
This is the output from the command used to display the NAT
rules in affect. As you see can all other traffic is being masqueraded.
[root@lab-fw bob]# iptables -L -t nat -nv
Chain PREROUTING (policy ACCEPT 5863K packets, 897M bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 12.12.12.12 to:192.168.1.2
Chain POSTROUTING (policy ACCEPT 114K packets, 22M bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * * 192.168.1.2 0.0.0.0/0 to:12.12.12.12
0 0 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3040 packets, 335K bytes)
pkts bytes target prot opt in out source destination
[root@lab-fw bob]#
This is the output from the 'ip addr show' command.
You can see the secondary address on the outside
interface (eth0).
[root@lab-fw bob]# ip addr
1: lo: mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:10:5a:10:0d:37 brd ff:ff:ff:ff:ff:ff
inet 12.12.12.2/24 brd 12.12.12.255 scope global eth0
inet 12.12.12.12/24 scope global secondary eth0
3: eth1: mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:10:5a:10:0d:34 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
[root@lab-fw bob]#
-- : Scenario 2 : --
If you are using scenario 2, wherein the NAT IP is **NOT**
within the same subnet as the IP address configured on the
firewall's outside interface (figure 2), such as 10.1.1.0/24,
then you the border router must have a route for that network
(or address), which directs traffic to the firewall's outside
interface. The firewall will translate the destination IP in
the packets to the internal hosts real IP and route the
traffic to the internal host.
-- : iptables Static NAT rules : --
The NAT rules are the same as used for scenario 1.
The topology for scenario 2
+---------------+
{{ }} | |
{{{ Inet }}}--------| border-router | <-- configure a static route
{{ }} | | to the NAT IP or net
+---------------+ (secondary IP on the
|\ firewall).
| \
| \___ 10.1.1.1/24
|
| _______ 10.1.1.2/24 (outside, eht0)
| / (secondary IP = 12.12.12.12/24)
|/
+----------------+
Outside | | Outside
~~~~~~~~~~~~~~~~~~ | Linux-firewall | ~~~~~~~~~~~~~~~~~~~~~~~~
Inside | | Inside
+----------------+
|\
| \___ 192.168.1.1/24 (inside, eth1)
|
|
+----------------+ |
| | |
| inside-host |-------+
| | \
+----------------+ \
\
\____ 192.168.1.2/24
Figure 2 : The topology for scenario 2
-- Kelly Scroggins
-------------------------------------------------------------------------------
--::[ Articles and Threads regarding NAT on a Linux Box ]::--
-------------------------------------------------------------------------------
--:[ iproute / iproute2 ]::--
[fw-wiz] Linux firewall help... (static NAT)
http://honor.trusecure.com/pipermail/firewall-wizards/2000-August/008864.html
... snip ...
The utility that you use to configure the advanced routing is calledc
"ip". It's in the iproute package; the
iproute package is included in RedHat 6.1/6.2
releases (iproute-2.2.4-2.i386.rpm). iproute is not
normally installed; you'll probably have to install
it. If you're not using RedHat, note that the
iproute package is sometimes call
"iproute2" in other distributions.
Two ip commands are needed -- one to set up the inbound packet
forwarding/translation and one to set up the
outbound translation. The commands look like:
ip route add nat <external-IP-address> via <internal-IP-address>
ip rule add prio 320 from <internal-IP-address> nat
<external-IP-address>
You don't need to do anything to cause <external-IP-address> to be
advertised -- it will be put in the ARP table
automatically by the ip route command. It's not
necessary to create an "alias" network
interface.
See /usr/doc/iproute-2.2.4 (after you've installed the iproute
package) for what documentation exists. ip-cref.ps
in that directory contains information about the
"nat" options to "ip route" and
"ip rule".
--------------------------------------------------
NAT using the ip tool from the iproute2 distribution
http://www.cryptio.net/~ferlatte/config/
* /etc/init.d/static-nat.sh
This script sets up static NAT using the ip tool from the
iproute2 distribution (who's package is called
iproute in Debian). This should run after your
firewall rules are in effect. I run it at order 41
during startup only. This also serves as an example
of how to setup a static NAT in Linux. Note that
this is for 2.2.x kernels; 2.4 kernel users should
use iptables to setup static NAT.
#! /bin/sh
#
# Static NAT setup
PATH=/sbin:/bin:/usr/sbin:/usr/bin
test -x /sbin/ip || exit 0
set -e
echo -n "Starting static nat:"
# static_nat externalip internalip prio
static_nat()
{
ip route add nat $1 via $2
ip rule add prio $3 from $2 nat $1
}
# Setup static NAT for wesleylatd
static_nat 64.162.86.118 192.168.1.3 100
echo " done."
unset static_nat
-------------------------------------------------------------------------------
Summary: NAT solution on Linux(RH)
http://www.netsys.com/firewalls/firewalls-2000-12/msg00333.html
Hi,
Thanks for all the response! Special thanks to Magic Phibo, Steve Krause.
For the NAT on linux, basically, you can:
1. nat-static-2.2.4.tar.gz get from
http://www.csn.tu-chemnitz.de/HyperNews/get/linux-ip-nat.html
2. iptables on Linux with kernel 2.4
3. ipfilter with linux kernel 2.0.x or openbsd. (have not tried this one)
The tricky thing is after you configure the NAT, you must
add another static routing entry on your internal network.
Cheers,
carl
-------------------------------------------------------------------------------
[PATCH] New static NAT target
http://lists.netfilter.org/pipermail/netfilter-devel/2001-April/000977.html
Dialog in the netfilter irc channel on irc.freenode.net :
<netfilter-irc_> uhm, that's the old name of the NETMAP target
<netfilter-irc_> it's in p-o-m
<netfilter-irc_> (and it's included in 2.6-test kernels)
-------------------------------------------------------------------------------
www.experts-exchange.com
http://www.experts-exchange.com/Security/Linux_Security/Q_20676713.html#8911537
Comment from jlevie
Date: 07/13/2003 07:01AM PDT Comment
IPtables can do static NAT (1:1) translations in addition
to the more familiar network port address
translations (many to 1, aka masquerade. I've only
done this where all of the NAT translations were
static, but I don't see anything in the Netfilter
doc's that says you can't mix NAT and NPAT.
To establish a static NAT translation the first step is to
create an IP alias on the outside interface for the
outside IP. Then create an SNAT rule to map the
inside IP onto that outside IP and a DNAT rule to
map the that outside IP onto the inside IP.
-------------------------------------------------------------------------------