NAT and Packet Mangling with iptables

an article added by: Philip A Clare at 04092007


In: Root » Computers and technology » Linux » NAT and Packet Mangling with iptables

French Spanish Portuguese Italian German Japanese Chinese Korean Russian Arabic

In the first part of this article we will learn how to perform Network Address Translation (NAT) and Port Address Translation (PAT), also referred to as Network Address and Port Translation (NAPT), with iptables. After that, we will learn what packet mangling is and how to mangle packets.

A Short Introduction to NAT and PAT (NAPT)

According to the way TCP/IP works, in order for hosts to communicate on the Internet, each must have a unique IP address.
However, due to the shortage of public IP addresses available, it is necessary to use one IP address for many hosts using NAT.
Network Address Translation is a way to translate one IP address into another. This implies a NAT router (Linux in our case) that rewrites the source or destination IP of a device behind the NAT router.
There are many small boxes called SOHO routers or NAT routers that can be used to perform NAT for a small private LAN. They are cheap and usually you can just plug them in and everything works. If you have already used one, you will see that there are many things you can do with Linux.


SNAT and Masquerade

SNAT is an alias for Source Network Address Translation. It is called so because only the source IP address gets translated. The NAT box will overwrite the source address in IP headers of all packets sent by a box behind NAT to one or many IP addresses.
One or many hosts can be translated into one or many public IP addresses only when accessing the Internet, but when a request from the Internet is made to the public IP address(es), the request will not reach any of the hosts (if the translated address is the router's, it will reach the router; otherwise packets will be dropped). This is a good protection for local networks and saves a lot of public IP addresses.
If one or many hosts behind NAT are translated into only one public IP address, the process is called static SNAT. If they are translated into several public IP addresses (usually a range of IP addresses), the process is called dynamic SNAT. In the case of dynamic SNAT, the NAT router chooses an IP address from a range; so one computer accessing the Internet is very likely to be translated into different IP addresses for each connection it initiates. For dynamic SNAT, iptables chooses the least used IP address from the specified range. If many IP addresses from the range are not used at all, iptables randomly chooses one of those.
Masquerade or MASQ works exactly like static SNAT does, except that you cannot specify the public IP address to be used. It will automatically use the IP address of the outgoing interface of the NAT router.

SNAT was introduced with iptables, and did not exist in netfilter for kernels lower than 2.4. However, Masquerade was kept in iptables simply because with interfaces like PPP adapters that receive a dynamically assigned IP address, it is simpler to do a MASQ rather than find the dynamically assigned IP address and do SNAT.

 

If the computer is SNATed or Masqueraded, the Linux router will change the source IP address in the packet header from 192.168.1.3 to 1.1.1.1 and will pass the packet towards 2.2.2.2 according to the routing process. Information about this connection is stored in /proc/net/ip_conntrack.
When 2.2.2.2 replies, the IP packet that arrives in the Linux router will have source IP address 2.2.2.2 and destination IP address 1.1.1.1. Linux searches for information about this packet in /proc/net/ip_conntrack, and finds a match against information stored at the previous step. At this point, Linux will change the destination IP address in the packet header to 192.168.1.3 and will pass the IP packet towards the NATed computer according to the routing process.

DNAT

DNAT or Destination Network Address Translations maps a public IP address to a private IP address. DNAT is the reverse of SNAT; so, if you SNAT to translate a private IP address into a public IP address and DNAT to translate the same public IP address into the same private IP address, the result will be full NAT.
DNAT is usually used when you have servers behind NAT, so the same public IP address is mapped to different private IP addresses depending on ports or protocols. This process is also called port forwarding.
Normally, 2.2.2.2 cannot initiate a communication to 192.168.1.3 because this is a private IP address and is not routed on the Internet.
2.2.2.2 tries to initiate a connection with 1.1.1.1. If a DNAT rule is matched for this packet, the Linux router will change the destination IP address in the IP packet header from 1.1.1.1 to 192.168.1.3, pass the packet towards 192.168.1.3, and keep a track of this connection.
When 192.168.1.3 replies, the packet is found in the conntrack table of the Linux router so it "knows" that the packet belongs to the connection initiated by 2.2.2.2 to 1.1.1.1. The Linux router will change the source IP address in the IP packet header from 192.168.1.3 to 1.1.1.1.

If DNAT is configured, but SNAT is not, 2.2.2.2 will be able to establish connections to 192.168.1.3 using 1.1.1.1 as destination IP address, but 192.168.1.3 will not be able to initiate connections to 2.2.2.2.

 

In other words, full NAT is SNAT and DNAT as presented earlier.
This is the function that SOHO routers call "DMZ", as explained earlier. The reason they call this function "DMZ" is that IP packets that don't belong to a connection initiated by any host from the private network 192.168.1.0/24 will be forwarded to 192.168.1.3, and so this host doesn't have the protection provided by the fact that it has a private IP address.

In the case just presented, 1.1.1.1 can be the NAT router IP address or it can just be routed to it. If it's the router's public IP address (as in the earlier diagrams), the NAT router can't be accessed from the Internet (e.g. you can't SSH into it) because it will forward all packets to 192.168.1.3.

PAT or NAPT

PAT stands for Port Address Translation and it is also called NAPT, which stands for Network Address and Port Translation. The idea behind PAT is to translate not only the IP address, but also the port number for specific hosts and ports.
The company's web server is behind NAT and it has the IP address 192.168.1.100. Having only one public IP address, http://www.<ourcompanyname>.com is configured to respond to 1.1.1.1. For the web server to be accessed from the Internet, we have to rewrite the address 1.1.1.1 to 192.168.1.100 whenever a request comes into our NAT router with the destination port 80.
More than this, we have a company intranet server with the IP address 192.168.1.200, running a web server on port 80. When being in the office, the employees have to type http://192.168.1.200 in their web browser and they can log in the intranet web server.
If we want to allow users to log on to the intranet server when they are outside the office, PAT is the answer. With PAT, we can choose a port that's not opened on the NAT router (e.g. 2143), and whenever a request comes from the Internet with the destination IP address 217.156.123.3 and the destination port 2143, the NAT router rewrites the destination IP address to 192.168.1.200 and the destination port from 2143 to 80.
This way, from the Internet when a user types:

  1. http://www.<ourcompanyname>.com/ the request is forwarded to 192.168.1.100 on port 80 and the company's web page is displayed
  2. http://www.<ourcompanyname>.com:2143/ the request is forwarded to 192.168.1.200 on port 80 and the company's intranet web page is displayed

We don't have to rewrite the port when a packet has the source IP address 192.168.1.200; we just have to set up SNAT or Masquerade so that the intranet server accesses the Internet using 1.1.1.1.

legal disclaimer

Our website is not responsible for the information contained by this article. Web-articles is a free articles resource.
Suggestion: If you need fresh, daily updated content for your website, feel free to use our service. Click here for more information.

related articles

1. The TCP/IP Internet Layer
The Internet layer in the TCP/IP model has the functions of OSI Layer 3 network. The purpose for the Internet layer is to select a path (preferably the best path) in the network for end-to-end delivery. The main protocol found at the Internet layer is IP (Internet Protocol), which provides connectionless, best-effort delivery routing of packets. IP handles logical addressing, and its primary concern is to find the best path between the endpoints, without caring about the contents of the packet. IP does not perform error checking and...

2. IP Addressing, IP Subnetting, and IP Supernetting
The Internet Protocol (IP) found at OSI Layer 3 is responsible for end-to-end delivery of data between computers in an IP network (the Internet). To find a path between two computers in a large network such as the Internet, computers must be uniquely identified. To do that, the Internet Protocol defines IP Addresses, which are unique 32 bit sequences of one and zeros. For example, 11000000101010000000000100000001 is a valid IP address. For the ease of use, IP addresses are represented in a form called the dotted decimal forma...

3. Public and Private IP Addresses
The Internet is a public network, and therefore a device connected directly to the Internet has a public IP address. Those IP addresses must be administered by someone in such way that two devices connected to the public network don't use the same IP address or that two networks don't have the same network address. This job was done by InterNIC (Internet Network Information Center), which has been succeeded by IANA (Internet Assigned Numbers Authority). IANA makes sure to provide unique IP network addresses to Internet Service Provide...

4. IP Supernetting or CIDR
CIDR stands for "Classless Inter-Domain Routing". It is a new addressing scheme for the Internet, intended to replace the old classful (Class A, B, C) address scheme. CIDR allows a more efficient allocation of IP addresses and uses routing aggregation for minimizing the routing table entries, and is also called supernetting. A recapitulation of classful IP addressing shows us the following: Address ...

5. Linux Security Threats
Creating firewalls may block some malicious attempts on your network, but this step is far from running an entirely secure network. As a network administrator or security consultant, to design a proper firewall for your network you need to know what you defend your network from. We cannot fully discuss this topic, even in 1000 pages, but we want to explain some principles that you should consider in running a safe network. As hard as it may seem to protect your network from the outside world, the most dangerous threats always come f...

6. IP Spoofing
An attacker might spoof a trusted IP address when communicating to a host in order to gain unauthorized access on that host. There are a variety of tools that can be found on the Internet to do IP spoofing. Using IP spoofing, attackers can also initiate Denial of Service by sending data with the source IP spoofed to the attacked IP address. The receiver then sends back replies that can contain large amounts of data to the attacked IP address resulting in...

7. BIND Domain Name System DNS
BIND (Berkley Internet Name Domain) is the most used DNS server on the Internet. Nowadays, every Linux distribution has a BIND package for DNS services. The problem with BIND and any DNS server is that in order to be able to translate names into IP addresses it has to communicate with a whole lot of other DNS servers, and so, filtering DNS packets is not possible. DNS services are vital for internet connection; so in order to disrupt services to victims, attackers have a great interest in bringing down DNS servers. Although BIN...