
                              Linux 2.4 NAT HOWTO
                                       
@̡RRusty Russell, mailing list netfilter@lists.samba.org
Ķ̡RH netmanforever@yahoo.com

   v1.0.1 Mon May 1 18:38:22 CST 2000
     _________________________________________________________________
   
   yzp 2.4 Linux ֤ߥh masqueradingNtransparent proxying
   Nport forwardingNM䥦 Network Address Translations C
     _________________________________________________________________
   
1. Introduction

2. x誺MqH׾¦BVS

     * 2.1  Network Address Translation?
     * 2.2 ڭn NAT OS
       
3.  NAT

4. q 2.0  2.2 ֤ߪֳt

     * 4.1 ϩRڡTڥuQnʥ]˦ӤwT
     * 4.2  ipmasqadm FS
       
5. ǭn NAT

     * 5.1  iptables ²檺
     * 5.2 Dǫʥ] mangle Ӹ`
       
6. ͽͭn Mangle ʥ]

     * 6.1 Source NAT
     * 6.2 Destination NAT
     * 6.3 i@BM(Mappings)
       
7. Sw

8. NAT @ǭ (caveats)

9. Source NAT P

10. bP@W Destination NAT 

11. P
     _________________________________________________________________
   
1. Introduction

   ˷RŪ̡MwzT
   
   zNnOޤHJ(Z) NAT(Network Address Translation)
   @ɡMPɡMzƦܥiHo HOWTO  Linux 2.4 ֤ߤΥH᪩T
   nOC
   
   b Linux 2.4 ̭M@ӥs `netfilter' FFMOM
   (mangling* )ʥ]CbAW@ӼhšMNO NAT \઺FMhO
   H֤߹@ӦC
   
   (Ķ̵Rܩ_ǡM@̥ mangle o@MGbL󤤳SI
   LMdLnhr峣D½ĶnCo̼ȮɫjjΡoӵNM
   L᭱ڴN½ĶoFMŪ̦ۤvhzѧaC)
   
2. x誺MqH׾¦BVS

   ثeTөxisR
     * P [1]Filewatcher (http://netfilter.filewatcher.org).
     * P [2]The Samba Team and SGI (http://www.samba.org/netfilter).
     * P [3]Jim Pick (http://netfilter.kernelnotes.org).
       
   өx誺 netfilter l׾¡MhiHo̬ݡR [4]Samba's Listserver
   (http://lists.samba.org).
   
2.1  Network Address Translation?

   @ӻMbWʥ]qӷ(zaq)XhMMFتa(
   www.kernelnotes.org)M|gL\\hhӤPs(links)RNکҦbD
   wӻNj 19 ӤhCS@ӳs|uhzʥ]RL̶
   ȬONǰeXhӤwC
   
   p䤤@ӳs| NAT ܡMMᥦ̴N|墨ǸgӹLʥ]ӷ
   Υتaa}CۦpzQo쪺MoëDtγQ]po˪MӬO NAT 
   }ӤwCq`n NAT su|Op mangled ʥ]MM^
   ʥ]qt@VLӪɭԡMMNϹL mangling Ӧ^ʥ]MҥH
   F賣u@_ӤFC
   
2.2 ڭn NAT OS

   b@ɸ̡MzLݳo˰աCbثeӻM٬OzѪR
   
    modem W
          jhƪ ISP bzsWhɭԥu|z@ӳ@ IP a}Czw
          ܡMHӷa}ʥ]eXhMu^oӨӷa}
          ]~iH^z̡CpGzQΦhxPD(Ҧpa)zLӳs
          W internet ܡMzNn NAT FC
          
          o]NO NAT ̱`ΤBMӦb Linux @ɳ̬HNOҿת
          `masquerading(ʥ]˳N)' FCں٤ SNATM]zܤFĤ@
          ʥ] source(ӷ) a}tGC
          
   hA
          ɭԡMz|QhܨǶiJzʥ]VCo̱`O](p
          Wz)zu@ IP a}MzoQOHs `u' IP a}
          ᭱DhCpGzgoǤeʥ]تa}Mo˱zNiH޲z
          ̤FC
          
          @ӱ`ܰʬOt(load-sharing)M]NOb@վW
          ]M(mapping)ʧ@Co NAT MbHe Linux 
          ]NQ٬ port-forwarding C
          
   zNz(Transparent Proxying)
          ɭԡMzγ\QnC@ӸgLz Linux Dʥ]eܥD
          @ӵ{hCoNݭnizNzʧ@FR@ӥNzNO@Ӧz
          M~{Mt_qȡCөҿתzM
          hO]zƦܵLDbM@ӥNzMMFMDNz
          Au@FaC
          
          Squid iHtmo˪u@覡MoNObL Linux ҿ
          ɦV(redirection)NγzNzFC
          
3.  NAT

   ڱN NAT ؤPR Source NAT (SNAT) P Destination NAT
   (DNAT)
   
   Source NAT NOzNܲĤ@ӫʥ]ӷa}RҦpMzǤJsu
   caching ʧ@CSource NAT û|bʥ]ǥXueNn post-routing
   ʧ@Cʥ](Masquerading)NO@ SNAT SҡC
   
   Destination NAT NOzNܲĤ@ӫʥ]تaa}RҦpznǥXs
   u caching ʧ@CDestination NAT û|bʥ]quiJNW
   n pre-routing ʧ@CPort forwardingNtNHγzNzMݩ
   DNATC
   
4. q 2.0  2.2 ֤ߪֳt

   D`pMpzMq 2.0(ipfwadm)  2.2(ipchains) ૬ܡC
   LMo]Oӳ߼~ѥbաC
   
   MziH@paϥ ipchains M ipfwadmCno˰ܡMz
   ݭnN̷s netfilter M󤤪 `ipchains.o'  `ipfwadm.o' ֤߼Ҳո
   JC̬Oۤƥ(zwĵiF)MPɤ]M䥦 netfilter ҲզP
   ɾXb@_C
   
   @䤤@ӼҲճQJMzNiHp`ϥ ipchains M ipfwadm FM]
   pU@ܤưաR
   
     *  ipchains -M -SMάO ipfwadm -M -s @˹OɱNAġC]O
       ɳ]wwgܷs NAT [cMҥHo̤]NSҿפFC
     * b˦Cܪ ini_seqNdelteNM previous_delta MNû
       sC
     * Pks(zeroing)MCܰOƾ(counter) `-Z -L' wL@ΡROƾN
       AksFC
       
   Hacker ̤ndNBR
   
     * z{biHj 61000-65095 fMӵLݲz|zO_ϥΫʥ]
       ޳NCbLhMʥ]˵{|⦹Ȱ줺ҦF讷iӡMҥH䥦
       {NiΤFC
     * ܩ(|大) getsockname }ѡMbLhMzNz{iHX
       AĳsuuتaC
     * ܩ(|大) bind-to-foreign-address }ѡMP˩|@QobL
       hΥHzNzcQC
       
4.1 ϩRڡTڥuQnʥ]˦ӤwT

   SMo]OjhƪBͤݡCpGz PPP oʺA IP (pGzF
   ѪܡMzӬOF)Mzγ\uQ§iDzDҦӦ۱z
   ʥ]Mݰ_ӦpӦ۸ PPP D@ˡC
   
# Load the NAT module (this pulls in all the others).
modprobe iptable_nat

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

   RzǫèSʥ]LoRpnܡMаѦ Packet Filtering HOWTOR
   N NAT Mʥ]LoXְ_ӴNOFC
   
4.2  ipmasqadm FS

   oӨMϥΪ̦ӤwMҥHڨäOܬVݮeDӾߡCziH
   ¨ϥ iptables -t nat  port forwarding ʧ@CҦpMb Linux 2.2 z
   γ\wgo˰FR
   
# Linux 2.2
# Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80
ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80

   Ӳ{bMphiR
   
# Linux 2.4
# Append a rule pre-routing (-A PREROUTING) to the NAT table (-t nat) that
# TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080)
# have their destination mapped (-j DNAT) to 192.168.1.1, port 80
# (--to 192.168.1.1:80).
iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 \
        -j DNAT --to 192.168.1.1:80

   pzQoWhPɭק糧su(pMYϦb NAT DMns
   1.2.3.4  8080 f telnet suM|zs 192.168.1.1  80 
   f)MzNiHJۦPWh OUTPUT 줤(uAΩ󥻾ǥXʥ])R
   
# Linux 2.4
iptables -A OUTPUT -t nat -p tcp -d 1.2.3.4 --dport 8080 \
        -j DNAT --to 192.168.1.1:80

5. ǭn NAT

   zݭnإߤ@ NAT WhMӧiD֤߭ǳsunܡMPɦphܥ̡C
   noIMڭ̻ݭn@ӫD`hγ~ iptables uMPɫw `-t nat'
   ﶵiDhק NAT C
   
   NAT WhtTӦCs`chains' RC@WhˬdM
   @Ӭ۲ŪCӤTNs PREROUTING ( Destination NAT ӻM
   ]ʥ]OǤJ)NPOSTROUTING ( Source NAT ӻM]ʥ]O}
   )NH OUTPUT ( Destination NAT ӻMOǥѥͪʥ])C
   
   pڰNѥܡMUϥܱNǽTXWһC
   
      _____                                     _____
     /     \                                   /     \
   PREROUTING -->[Routing ]----------------->POSTROUTING----->
     \D-NAT/     [Decision]                    \S-NAT/
                     |                            ^
                     |                          __|__
                     |                         /     \
                     |                        | OUTPUT|
                     |                         \D-NAT/
                     |                            ^
                     |                            |
                     --------> Local Process ------

   ezC@IM@ӫʥ]qLڭ̭ndݪsuɡMpGO@ӷs
   سsuMڭ̬dݥb NAT ̹Mݬݯ蠟Ǥʧ@CӥѦ
   o״NΩӳsuNӪҦʥ]C
   
5.1  iptables ²檺

   iptables 㦳pҦC\hзǿﶵCҦǱaﶵOiHYg
   Mun iptables iNP䥦i઺ﶵϤ}ӴNCpGz֤ߥH
   ҲէΦӤ䴩 iptables MzNݭnJ ip_tables.o R `insmod
   ip_tables'C
   
   o̡M̭n@ӿﶵOܿﶵR `-t' CҦ NAT ާ@Mz|
   Q `-t nat' Ӫ NAT CĤGӭnﶵOH `-A' W[@sWh
   쪺 (pR`-A POSTROUTING')MΥH `-I' Jܫe(pR`-I
   PREROUTING')C
   
   ziHwzn NAT ʥ]ӷa} (`-s'  `--source') Pتa
   (`-d' or `--destination')Coӿﶵ᭱iHᱵ@ӳ@ IP a} (p
   R192.168.1.1)MΤ@ӦW (pR www.kernelnotes.org)MΤ@Ӻa}
   (pR192.168.1.0/24  192.168.1.0/255.255.255.0)C
   
   z]iHwn諸ǤJ (`-i'  `--in-interface') MǥX (`-o' or
   `--out-interface') ɭM@ӬɭiHwhMznNWhgJ@
   hR PREROUTING MziHܶǤJɭM POSTROUTING (H
   OUTPUT)MziHܶǥXɭCpGzpߥοFM iptables N|z@
   ~C
   
5.2 Dǫʥ] mangle Ӹ`

   ګewgLMziHwӷMتaa}CpGzٲӷa}ﶵM
   NxӷCpGzٲتaa}MhxҦتaa}C
   
   z٥iHw@ӯSww (`-p' or `--protocol')OMҦp TCP  UDPRu
   oǨwʥ]~ŦXӳWhCDn]OMw tcp  udp wiH
   \hﶵRרO `--source-port' P `--destination-port' ﶵ (Yg
   `--sport' P `--dport' )C
   
   oǿﶵiHzwuǯSwӷMتafʥ]~ŦXӳWhCo
   bzn web ШD (TCP port 80  8080) SȼvT䥦ʥ]ɭԡMN
   ܦnΤFC
   
   oǿﶵb `-p' ﶵ᭱(o|bӨwJ@ɨ禡wɦƧ@
   )CziHϥΰfXMΪ̬Ob /etc/services ɤW١C
   
   ҦoǱzܪʥ]P~MԲӦCbӸԲӱoIƪ
   manual page F(man iptables)C
   
6. ͽͭn Mangle ʥ]

   {bMڭ̪DphD墨ǧڭ̭n mangle ʥ]CFnڭ̪Wh
   Mڭ̻ݭnǽTL~iD֤ߡM~Oڭ̭nʥ]C
   
6.1 Source NAT

   zQn Source NATMOnhNsuӷa}O򪺡CoNnb
   neXheM POSTROUTING 줤FQoO@ӫD`nӸ`M]
   N۩Ҧb Linux DW䥦F (routing, packet filtering)
   uݨ٨Sܪʥ]CPɡMo]NOM`-o' (ǥXɭ) ﶵiH
   WγFC
   
   Source NAT O `-j SNAT' ӫwMPɡM `--to source' hw@ IP
   a}NΤ@q IP a}NHΤ@ӥit諸fΤ@qȰ쪺f(ȾAΩ
   UDP M TCP w)C
   
## Change source addresses to 1.2.3.4.
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6

## Change source addresses to 1.2.3.4, ports 1-1023
# iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023

  ʥ] (Masquerading)
  
   @ Source NAT SҡMsʥ]ˡRuΩʺAt IP a}M
   pзǪ(pGRA IP a}MhϥΫez SNAT)C
   
   zLݩTaN masquerading iӷa}̥hRN|ϥΫʥ]ǥXɭ
   @ӷa}C󭫭nOMpGӳs(link)_ܡMsu
   (connectionsMLiקKN) ]|QѱMsuηs IP a}^Ӫ
   ɭԴN|DFC
   
## Masquerade everything out ppp0.
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

6.2 Destination NAT

   @ʥ]iJM| PREROUTING 짹BzQ]NOMFӥDۤv
   F(ѦpRѡNʥ]Lo) Nʥ]ݦne `u' تaCt~M
    `-i' (ǤJɭ) ﶵ]iHbǫϥΡC
   
   ݭnק糧ͪʥ]تaܡM OUTPUT NiHΤWFMLo
   ä`IC
   
   Destination NAT H `-j DNAT' ӫwϥΡMPɥ `--to destination'
   ﶵw@ IP a}NΤ@q IP a}MHΥiHt@ӰfΤ@qf
   (uΩ UDP M TCP wW)C
   
## Change destination addresses to 5.6.7.8
# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8

## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8-5.6.7.10

## Change destination addresses of web traffic to 5.6.7.8, port 8080.
# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 \
        -j DNAT --to 5.6.7.8:8080

## Redirect local packets to 1.2.3.4 to loopback.
# iptables -t nat -A OUTPUT -d 1.2.3.4 -j DNAT --to 127.0.0.1

  ɦV (Redirection)
  
   b Destination NAT @ӯSOΡRO@²檺KQMP󵹶
   Jɭa} DNAT @ˡC
   
## Send incoming port-80 web traffic to our squid (transparent) proxy
# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
        -j REDIRECT --to-port 3128

6.3 i@BM(Mappings)

   ٦\h NAT WѨM׬OjhƤHLݥΨ쪺Co̤MǦ쪺
   BͱQ@UR
   
  P@d򤺪ƦXa}(Multiple Addresses)ܡC
  
   pGzwgwF@q IP a}M  IP a}ϥοܬOҪsu
   e̤֨ϥΤ IPCiHѳ̭lŭt(load-balancing)C
   
  إߪ NAT M
  
   ziHϥ `-j ACCEPT' ؼШ@ӳsuqLM¶L NAT BzC
   
  зǪ NAT 欰(Behaviour)
  
   w]欰ObϥΪ̨wWhMɥi֪ܳsuCӨMD
   ownM(remap)fC
   
  ӷfM
  
   pG䥦suwgQMssuMN@ӵL NAT suӻMӷ
   fഫɩάOsbCڭ̰]@ӫʥ]˪ΡMowg
   D`MFR
   
    1. @ӺsuѤ@x 192.1.1.1 q port 1024 إߡMns
       www.netscape.com port 80C
    2. Qʥ]˥DHۤv IP a}(1.2.3.4)i氰ˡC
    3. ӫʥ]˥Dե 1.2.3.4 (~ɭa}) port 1024 Ӱ@
       suwww.netscape.com port 80C
    4. M NAT {ܲĤGӳsuӷf 1025MҥHoӳsuܩ
       ۽(clash)C
       
   oӵӷMsbɡMfQTӵšR
     * 512 HUf
     * 512  1023 f
     * 1024 HWf
       
   @Ӱf|QM줣PťhC
   
   NAT Įɷ|ˡS
  
   pGSkpΤnD˿W@LGaMsuMsuN|QױC@
   ӫʥ]ɩwsuɭԡMG]@ˡM]̥iOΪM
   ̬OӾOӥFMѦpC
   
  ƦXMN|NM۽(clash)
  
   ziH]w NAT WhbP@ӽd򤧤WMʥ]QNAT {HohקK
   ġC軡MΨWhN 192.168.1.1 M 192.168.1.2 oӨӷa}O
   M 1.2.3.4MOi檺C
   
   AӡMziHMuꪺNwΪ IP a}MunoǦa}qLoӬMD
   NCҥHMpGzo@Ӻ(1.2.3.0/24)M@ӤϥγoǦa
   }Mӥt@ӨϥΨpa} 192.168.1.0/24 MzNiH NAT 
   192.168.1.0/24 ӷa} 1.2.3.0 WMӵLݾ߬۽ġR
   
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \
        -j SNAT --to 1.2.3.0/24

   oP˾AΩ󨺨 NAT DۤvϥΪa}RoNOʥ]˦pu@
   F(ɰ˫ʥ]a}MӦۥDʥ] `u' a}C )
   
   ƪ̡Mz٥iHMۦPʥ]\hPؼ(targets)WhMӥB̳
   O@ɪCҦpMpGzQMF 1.2.3.5 WhMziHo˰R
   
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \
        -j SNAT --to 1.2.3.0-1.2.3.4 --to 1.2.3.6-1.2.3.254

  ܥͪsuتa
  
   pGͪʥ]تaܤF(ҦpM OUTPUT )Mӳo˷|ɭPʥ]
   ѤPɭeXhMo˨ӷa}]ܬӬɭC|ҤlMܤ@
   j(loopback)ʥ]تa eth0 eXM|ӷa}] 127.0.0.1 ܦ
   eth0 a}QӤ䥦ӷa}M墨ˡMoOߧYCMMҦo
   Mb^ʥ]iJɬOA˹LӪC
   
7. Sw

   ǨwOäQn NAT CC@ӳo˪wӨMө]
   w(extension)OngMG@ӬOwsulܡMt@
    NATC
   
   b netfilter oM̭M@ ftp {Ҳ
   Rip_conntrack_ftp.o P ip_nat_ftp.o CpGzoǴJz֤߸̭(
   αzä[ʪsĶ)Mnb ftp suW NAT Oi檺C
   pGzo˪ܡMziHϥγQʼҦ ftpMLpGzn@ǰʧ@Ʃ
   ² Source NAT ܡMoNiणiaFC
   
8. NAT @ǭ (caveats)

   pGb@ӳsuW NATMҦ V (ǥXMǤJ) ʥ]MnqL
   NAT D~M_häiaCרbsulܵ{ոH (fragments)
   ԡM]NOMsulܷ|iMӥBzʥ]ڥNqLM]H
   |QפUC
   
9. Source NAT P

   pGzn SNATMz|QnTwgL SNAT ʥ]ҶǵD|N^e^
   NAT DCҦpMpGzMYǶǥXʥ]ӷa} 1.2.3.4 WM~
   ѾNDnN^ʥ](تa 1.2.3.4 )e^ӥDCoiH
   pUkR
   
    1. pGznbDۤva}(ѩM䥦ҦB@ҥ`)W SNATMzL
       ݰʧ@C
    2. pGznb@ӦbW|ϥΪa} SNAT(ҦpMMb
       1.2.3.0/24 W@ӥi IP 1.2.3.99)Mz NAT DNݭn^
       Ӧa} ARP ШDM@pۤv@ˡR²檺kNOإ IP
       aliasMҦpR
       
# ip address add 1.2.3.99 dev eth0

    3. pGznb@ӧPa}W SNATMzNnTw SNAT ʥ]F
       Ѧ^ NAT DCpG NAT DO̪w]hDܡMOi
       H쪺M_hMzNnsi(advertize )@Ӹ(pG]Ѩw)
       MάOubC@xѻPWW[ѡC
       
10. bP@W Destination NAT

   pGzn portforwarding ^P@ӺMznTweVM^ʥ]賣
   gL NAT D(o˥̤~Qק)CNAT {q{b}l(2.4.0-test6H
   )M|ױ᭱ΩҲͪǥX ICMP ɦVRǤwg NAT ʥ]H
   iJۦPɭǥXMӱݦAժ^Ȥ({iӦ^)
   C
   
   g媺άOHճsz `(public)' AMڤWO
   qa}(1.2.3.4) DNAT @Ӥ(192.168.1.1)hMNoˡR
   
# iptables -t nat -A PREROUTING -d 1.2.3.4 \
        -p tcp --dport 80 -j DNAT --to 192.168.1.1

   @ӤkO]@x DNS AMDzu() IP a}
   MӱN䥦ШDǵ~ DNS ACӨMzAO
   |Taܬ IP a}C
   
   ӥt@ӤkOPox NAT DNӵsuӷ IP a}Mאּۤv
   a}Mڭ̥iHpU˰(] NAT D IP a}
   192.168.1.250)R
   
# iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \
        -p tcp --dport 80 -j SNAT --to 192.168.1.250

   ] PREROUTING WhO̥檺M鷺AӨMʥ]NwgQw
   VnFRڭ̥iHwnӬӷ IP a}C
   
11. P

   P¦bڤu@۫H netfilter cQäڪ WatchGuard M
   David BonnC
   
   HΩҦLګ NAT B͡MרOŪLڪOC
   
   Rusty.

References

   1. http://netfilter.filewatcher.org/
   2. http://www.samba.org/netfilter
   3. http://netfilter.kernelnotes.org/
   4. http://lists.samba.org/
