📄 nat-howto.txt
字号:
Linux 2.4 NAT HOWTO
Rusty Russell, mailing list netfilter@lists.samba.org
$Revision: 1.18 $ $Date: 2002/01/14 09:35:13 $
This document describes how to do masquerading, transparent proxying,
port forwarding, and other forms of Network Address Translations with
the 2.4 Linux Kernels.
______________________________________________________________________
Table of Contents
1. Introduction
2. Where is the official Web Site and List?
2.1 What is Network Address Translation?
2.2 Why Would I Want To Do NAT?
3. The Two Types of NAT
4. Quick Translation From 2.0 and 2.2 Kernels
4.1 I just want masquerading! Help!
4.2 What about ipmasqadm?
5. Controlling What To NAT
5.1 Simple Selection using iptables
5.2 Finer Points Of Selecting What Packets To Mangle
6. Saying How To Mangle The Packets
6.1 Source NAT
6.1.1 Masquerading
6.2 Destination NAT
6.2.1 Redirection
6.3 Mappings In Depth
6.3.1 Selection Of Multiple Addresses in a Range
6.3.2 Creating Null NAT Mappings
6.3.3 Standard NAT Behavior
6.3.4 Implicit Source Port Mapping
6.3.5 What Happens When NAT Fails
6.3.6 Multiple Mappings, Overlap and Clashes
6.3.7 Altering the Destination of Locally-Generated Connections
7. Special Protocols
8. Caveats on NAT
9. Source NAT and Routing
10. Destination NAT Onto the Same Network
11. Thanks
______________________________________________________________________
[1m1. Introduction[0m
Welcome, gentle reader.
You are about to delve into the fascinating (and sometimes horrid)
world of NAT: Network Address Translation, and this HOWTO is going to
be your somewhat accurate guide to the 2.4 Linux Kernel and beyond.
In Linux 2.4, an infrastructure for mangling packets was introduced,
called `netfilter'. A layer on top of this provides NAT, completely
reimplemented from previous kernels.
(C) 2000 Paul `Rusty' Russell. Licensed under the GNU GPL.
[1m2. Where is the official Web Site and List?[0m
There are three official sites:
o Thanks to Filewatcher <http://netfilter.filewatcher.org/>.
o Thanks to The Samba Team and SGI <http://netfilter.samba.org/>.
o Thanks to Harald Welte <http://netfilter.gnumonks.org/>.
You can reach all of them using round-robin DNS via
<http://www.netfilter.org/> and <http://www.iptables.org/>
For the official netfilter mailing list, see netfilter List
<http://www.netfilter.org/contact.html#list>.
[1m2.1. What is Network Address Translation?[0m
Normally, packets on a network travel from their source (such as your
home computer) to their destination (such as www.gnumonks.org) through
many different links: about 19 from where I am in Australia. None of
these links really alter your packet: they just send it onward.
If one of these links were to do NAT, then they would alter the source
or destinations of the packet as it passes through. As you can
imagine, this is not how the system was designed to work, and hence
NAT is always something of a crock. Usually the link doing NAT will
remember how it mangled a packet, and when a reply packet passes
through the other way, it will do the reverse mangling on that reply
packet, so everything works.
[1m2.2. Why Would I Want To Do NAT?[0m
In a perfect world, you wouldn't. Meanwhile, the main reasons are:
[1mModem Connections To The Internet[0m
Most ISPs give you a single IP address when you dial up to them.
You can send out packets with any source address you want, but
only replies to packets with this source IP address will return
to you. If you want to use multiple different machines (such as
a home network) to connect to the Internet through this one
link, you'll need NAT.
This is by far the most common use of NAT today, commonly known
as `masquerading' in the Linux world. I call this SNAT, because
you change the [1msource [22maddress of the first packet.
[1mMultiple Servers[0m
Sometimes you want to change where packets heading into your
network will go. Frequently this is because (as above), you
have only one IP address, but you want people to be able to get
into the boxes behind the one with the `real' IP address. If
you rewrite the destination of incoming packets, you can manage
this. This type of NAT was called port-forwarding under
previous versions of Linux.
A common variation of this is load-sharing, where the mapping
ranges over a set of machines, fanning packets out to them. If
you're doing this on a serious scale, you may want to look at
Linux Virtual Server <http://linuxvirtualserver.org/>.
[1mTransparent Proxying[0m
Sometimes you want to pretend that each packet which passes
through your Linux box is destined for a program on the Linux
box itself. This is used to make transparent proxies: a proxy
is a program which stands between your network and the outside
world, shuffling communication between the two. The transparent
part is because your network won't even know it's talking to a
proxy, unless of course, the proxy doesn't work.
Squid can be configured to work this way, and it is called
redirection or transparent proxying under previous Linux
versions.
[1m3. The Two Types of NAT[0m
I divide NAT into two different types: [1mSource NAT [22m(SNAT) and
[1mDestination NAT [22m(DNAT).
Source NAT is when you alter the source address of the first packet:
i.e. you are changing where the connection is coming from. Source NAT
is always done post-routing, just before the packet goes out onto the
wire. Masquerading is a specialized form of SNAT.
Destination NAT is when you alter the destination address of the first
packet: i.e. you are changing where the connection is going to.
Destination NAT is always done before routing, when the packet first
comes off the wire. Port forwarding, load sharing, and transparent
proxying are all forms of DNAT.
[1m4. Quick Translation From 2.0 and 2.2 Kernels[0m
Sorry to those of you still shell-shocked from the 2.0 (ipfwadm) to
2.2 (ipchains) transition. There's good and bad news.
Firstly, you can simply use ipchains and ipfwadm as before. To do
this, you need to insmod the `ipchains.o' or `ipfwadm.o' kernel
modules found in the latest netfilter distribution. These are
mutually exclusive (you have been warned), and should not be combined
with any other netfilter modules.
Once one of these modules is installed, you can use ipchains and
ipfwadm as normal, with the following differences:
o Setting the masquerading timeouts with ipchains -M -S, or ipfwadm
-M -s does nothing. Since the timeouts are longer for the new NAT
infrastructure, this should not matter.
o The init_seq, delta and previous_delta fields in the verbose
masquerade listing are always zero.
o Zeroing and listing the counters at the same time `-Z -L' does not
work any more: the counters will not be zeroed.
o The backward compatibility layer doesn't scale very well for large
numbers of connections: don't use it for your corporate gateway!
Hackers may also notice:
o You can now bind to ports 61000-65095 even if you're masquerading.
The masquerading code used to assume anything in this range was
fair game, so programs couldn't use it.
o The (undocumented) `getsockname' hack, which transparent proxy
programs could use to find out the real destinations of connections
no longer works.
o The (undocumented) bind-to-foreign-address hack is also not
implemented; this was used to complete the illusion of transparent
proxying.
[1m4.1. I just want masquerading! Help![0m
This is what most people want. If you have a dynamically allocated IP
PPP dialup (if you don't know, this is you), you simply want to tell
your box that all packets coming from your internal network should be
made to look like they are coming from the PPP dialup box.
# Load the NAT module (this pulls in all the others).
modprobe iptable_nat
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Note that you are not doing any packet filtering here: for that, see
the Packet Filtering HOWTO: `Mixing NAT and Packet Filtering'.
[1m4.2. What about ipmasqadm?[0m
This is a much more niche user base, so I didn't worry about backward
compatibility as much. You can simply use `iptables -t nat' to do
port forwarding. So for example, in Linux 2.2 you might have done:
# Linux 2.2
# Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80
ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80
Now you would do:
# Linux 2.4
# Append a rule before routing (-A PREROUTING) to the NAT table (-t nat) that
# TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080)
# have their destination mapped (-j DNAT) to 192.168.1.1, port 80
# (--to 192.168.1.1:80).
iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 \
-j DNAT --to 192.168.1.1:80
[1m5. Controlling What To NAT[0m
You need to create NAT rules which tell the kernel what connections to
change, and how to change them. To do this, we use the very versatile
iptables tool, and tell it to alter the NAT table by specifying the
`-t nat' option.
The table of NAT rules contains three lists called `chains': each rule
is examined in order until one matches. The two chains are called
PREROUTING (for Destination NAT, as packets first come in), and
POSTROUTING (for Source NAT, as packets leave). The third (OUTPUT)
will be ignored here.
The following diagram would illustrate it quite well if I had any
artistic talent:
_____ _____
/ \ / \
PREROUTING -->[Routing ]----------------->POSTROUTING----->
\D-NAT/ [Decision] \S-NAT/
| ^
| |
| |
| |
| |
| |
| |
--------> Local Process ------
At each of the points above, when a packet passes we look up what
connection it is associated with. If it's a new connection, we look
up the corresponding chain in the NAT table to see what to do with it.
The answer it gives will apply to all future packets on that
connection.
[1m5.1. Simple Selection using iptables[0m
iptables takes a number of standard options as listed below. All the
double-dash options can be abbreviated, as long as iptables can still
tell them apart from the other possible options. If your kernel has
iptables support as a module, you'll need to load the ip_tables.o
module first: `insmod ip_tables'.
The most important option here is the table selection option, `-t'.
For all NAT operations, you will want to use `-t nat' for the NAT
table. The second most important option to use is `-A' to append a
new rule at the end of the chain (e.g. `-A POSTROUTING'), or `-I' to
insert one at the beginning (e.g. `-I PREROUTING').
You can specify the source (`-s' or `--source') and destination (`-d'
or `--destination') of the packets you want to NAT. These options can
be followed by a single IP address (e.g. 192.168.1.1), a name (e.g.
www.gnumonks.org), or a network address (e.g. 192.168.1.0/24 or
192.168.1.0/255.255.255.0).
You can specify the incoming (`-i' or `--in-interface') or outgoing
(`-o' or `--out-interface') interface to match, but which you can
specify depends on which chain you are putting the rule into: at
PREROUTING you can only select incoming interface, and at POSTROUTING
you can only select outgoing interface. If you use the wrong one,
iptables will give an error.
[1m5.2. Finer Points Of Selecting What Packets To Mangle[0m
I said above that you can specify a source and destination address.
If you omit the source address option, then any source address will
do. If you omit the destination address option, then any destination
address will do.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -