
                              Linux 2.4 NAT HOWTO
                                       
ߣRusty Russell, mailing list netfilter@lists.samba.org
ߣ netmanforever@yahoo.com

   v1.0.1 Mon May 1 18:38:22 CST 2000
     _________________________________________________________________
   
   ļ 2.4 Linux ȥ masqueradingtransparent proxying
   port forwarding͵ Network Address Translations 
     _________________________________________________________________
   
1. Introduction

2. ٷվ̳ͨδ٣

     * 2.1 Ϊ Network Address Translation?
     * 2.2 ΪʲҪ NAT أ
       
3. ͵ NAT

4.  2.0  2.2 ĵĿת

     * 4.1 ֻҪαװѣ
     * 4.2  ipmasqadm ˣ
       
5. ЩҪ NAT

     * 5.1  iptables 򵥵ѡ
     * 5.2 ѡЩ mangle ϸ
       
6. ̸̸Ҫ Mangle 

     * 6.1 Source NAT
     * 6.2 Destination NAT
     * 6.3 һӳ(Mappings)
       
7. Э

8. NAT һЩ (caveats)

9. Source NAT ·

10. ͬһ·ϵ Destination NAT 

11. л
     _________________________________________________________________
   
1. Introduction

   װĶߣӭ
   
   Ҫ̽ʤ(ʱֲ) NAT(Network Address Translation)
   磬ͬʱ԰ HOWTO  Linux 2.4 ļ汾ľȷ
   ָء
   
    Linux 2.4 棬һ `netfilter' Ķר˺
   (mangling* )ġһ㼶ṩ NAT ܵˣȫ
   ĺʵɵġ
   
   (ע֣ԭ mangle һʣƺڹļжû
   öֵ䶼֪ᷭáʱǿá˺ѡʴ棬
   ҾͲԷˣöԼȥɡ)
   
2. ٷվ̳ͨδ٣

   Ŀǰٷվɹ
     * л [1]Filewatcher (http://netfilter.filewatcher.org).
     * л [2]The Samba Team and SGI (http://www.samba.org/netfilter).
     * л [3]Jim Pick (http://netfilter.kernelnotes.org).
       
   ٷ netfilter ʼ̳Ե￴ [4]Samba's Listserver
   (http://lists.samba.org).
   
2.1 Ϊ Network Address Translation?

   һ˵·ϷԴ(ȷеĵ)ȥȻᵽĿĵ(
   www.kernelnotes.org)ᾭͬ(links)ڵİ
   ˵ʹԼ 19 ֮ࡣûκһӻȥķǽ
   ǽ֮ͳȥѡ
   
   һӻ NAT ĻȻǾͻЩķ֮Դ
   ĿĵصַõģⲢϵͳƳģ NAT 
   ֽŶѡͨҪ NAT ߻ס mangled ģȻᵱ
   ӦһʱȻͷ mangling ǸӦ
   жˡ
   
2.2 ΪʲҪ NAT أ

   Ŀǰ˵ɵģ
   
    modem 
           ISP ȥʱֻһһ IP ַϲ
          κԴַѷͳȥУֻлӦԴַķ
          ſԻصǫ̈ͬ(·)͸
           internet ĻҪ NAT ˡ
          
          Ҳǽ NAT ֮ Linux Ϊ֪ľν
          `masquerading(αװ)' ˡҳ֮Ϊ SNATΪı˵һ
           source(Դ) ַԵʡ
          
   ŷ
          ʱȥıЩ·ķ֮·Ϊ(
          )ֻһ IP ַȴñܹӵ `ʵ' IP ַ
          ȥдЩͷĿĵַͿԹ
          ˡ
          
          һı䶯Ǹطֵ(load-sharing)ҲһΪ
          ӳ(mapping)Ķ͵ NAT ǰĵ Linux 汾
          ҲͱΪ port-forwarding 
          
   ͸(Transparent Proxying)
          ʱҪÿһ Linux ķ
          һʽȥҪ͸Ķˣһһλ
          ·ⲿ·ĳʽΪ˴˫ͨ񡣶ν͸
          Ϊ·֪ںһԽȻˣǴ
          ٹ˰ɡ
          
          Squid óĹʽڹ Linux 汾ν
          ص(redirection)͸ˡ
          
3. ͵ NAT

   ҽ NAT Ϊֲͬͣ Source NAT (SNAT)  Destination NAT
   (DNAT)
   
   Source NAT ıһԴַ磬Ϊ
   caching ĶSource NAT Զڷ֮ǰ post-routing
   Ķαװ(Masquerading)һ SNAT 
   
   Destination NAT ıһĿĵصַҪΪ
    caching ĶDestination NAT Զڷ߽֮
    pre-routing ĶPort forwardingطֵԼ͸
   DNAT
   
4.  2.0  2.2 ĵĿת

   ǳǸȻæ춴 2.0(ipfwadm)  2.2(ipchains) ת͵Ļ
   ҲǸϲǲΰϢ
   
   ȣ׵һʹ ipchains  ipfwadmҪĻ
   Ҫµ netfilter ׼е `ipchains.o'  `ipfwadm.o' ģ
   롣໥ų(Ӧѻ񾯸)ͬʱҲܺ netfilter ģͬ
   ʱһ
   
   һһģ鱻룬Ϳ糣ʹ ipchains  ipfwadm ˣҲ
   һЩ仯
   
     *  ipchains -M -S ipfwadm -M -s αװʱЧΪ
       ʱ趨Ѿµ NAT ܹУҲûʲνˡ
     * αװбʾ ini_seqdelte previous_delta λԶΪ
       㡣
     * ͬʱ(zeroing)ʾ(counter) `-Z -L' ã
       ٹˡ
       
   Hacker Ҫ֮
   
     * ڿ 61000-65095 ֮ĲڣǷʹ÷αװ
       ڹȥαװʽѴֵڵж
       ʽͲ֮ˡ
     * (δ֮) getsockname ƽ⣬ڹȥ͸ʽҳЩ
       Ч֮Ŀĵء
     * (δ֮) bind-to-foreign-address ƽ⣬ͬδʵڹ
       ȥ͸Ĺ롣
       
4.1 ֻҪαװѣ

   ûҲǴ֮衣 PPP ӻõĶ̬ IP (
   ĻӦ)ֻ뵥ڲ·
   Ը PPP һ
   
# Load the NAT module (this pulls in all the others).
modprobe iptable_nat

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

   עﲢûκηˣҪĻο Packet Filtering HOWTO
    NAT ͷ˺ϲˡ
   
4.2  ipmasqadm ˣ

   ʵȡʹ߶ѣҲǺΪġԵ
   ʹ iptables -t nat  port forwarding Ķ磬 Linux 2.2 
   Ѿˣ
   
# Linux 2.2
# Forward TCP packets going to port 8080 on 1.2.3.4 to 192.168.1.1's port 80
ipmasqadm portfw -a -P tcp -L 1.2.3.4 8080 -R 192.168.1.1 80

   ڣɣ
   
# Linux 2.4
# Append a rule pre-routing (-A PREROUTING) to the NAT table (-t nat) that
# TCP packets (-p tcp) going to 1.2.3.4 (-d 1.2.3.4) port 8080 (--dport 8080)
# have their destination mapped (-j DNAT) to 192.168.1.1, port 80
# (--to 192.168.1.1:80).
iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 8080 \
        -j DNAT --to 192.168.1.1:80

   ͬʱ޸ıߵĻ(磬ʹ NAT Ҫ
   1.2.3.4  8080 ֮ telnet ߣ 192.168.1.1  80 
   )ͿԲͬĹ OUTPUT (ֻ춱ķ)
   
# Linux 2.4
iptables -A OUTPUT -t nat -p tcp -d 1.2.3.4 --dport 8080 \
        -j DNAT --to 192.168.1.1:80

5. ЩҪ NAT

   ҪһЩ NAT ߺЩҪı䣬ͬʱȥıǡ
   Ҫ㣬Ҫһǳ; iptables ߣͬʱָ `-t nat'
   ѡȥ޸ NAT 
   
   NAT ıб`chains' ÿһ򶼰˳飬ֱ
   һıȶԡͽ PREROUTING ( Destination NAT ˵
   ΪǴ)POSTROUTING ( Source NAT ˵Ϊ뿪
   )Լ OUTPUT ( Destination NAT ˵ָЩɱķ)
   
   ҹݵĻͼʾ׼ȷģ˵ĸ
   
      _____                                     _____
     /     \                                   /     \
   PREROUTING -->[Routing ]----------------->POSTROUTING----->
     \D-NAT/     [Decision]                    \S-NAT/
                     |                            ^
                     |                          __|__
                     |                         /     \
                     |                        | OUTPUT|
                     |                         \D-NAT/
                     |                            ^
                     |                            |
                     --------> Local Process ------

   ǰÿһ㣬һͨҪ鿴֮ʱһ
   ߣǲ鿴 NAT Ӧ֮ܶЩʲᶯɴ
   õĴ𰸾Ӧ춸߽з
   
5.1  iptables 򵥵ѡ

   iptables е׼ѡЩ˫ŵѡǿд
   ģֻҪ iptables Կɽ֮ܵѡֿСĺ
   ģʽ֧Ԯ iptables Ҫ ip_tables.o  `insmod
   ip_tables'
   
   ҪһѡǱѡѡ `-t' е NAT 
    `-t nat' ʾ NAT 񡣵ڶҪѡ `-A' һ¹
   ĩ (磺`-A POSTROUTING') `-I' ǰ(磺`-I
   PREROUTING')
   
   ָҪ NAT ķԴַ (`-s'  `--source') Ŀĵ
   (`-d' or `--destination')ѡһһ IP ַ (
   192.168.1.1)һ (磺 www.kernelnotes.org)һ·ַ
   (磺192.168.1.0/24  192.168.1.0/255.255.255.0)
   
   ҲָҪȶԵĴ (`-i'  `--in-interface') ʹ (`-o' or
   `--out-interface') 棬һָȡҪдһ
   ȥ PREROUTING ѡ棬 POSTROUTING (Լ
   OUTPUT)ѡ񴫳档Сôˣ iptables ͻһ
   
   
5.2 ѡЩ mangle ϸ

   ǰѾ˵ָԴĿĵصַʡԴַѡ
   ͷָκԴʡĿĵصַָĿĵصַ
   
   ָһضЭ (`-p' or `--protocol')أ TCP  UDPֻ
   ЩЭķŷϸùҪԭǣָ tcp  udp Э
   ѡ `--source-port'  `--destination-port' ѡ (дΪ
   `--sport'  `--dport' )
   
   ЩѡָֻЩضԴĿĵزڵķŷϸù
   Ҫص web  (TCP port 80  8080) Ӱʱ򣬾
   ܺˡ
   
   Щѡ `-p' ѡ(ΪЭ빲ʽʱи
   )ʹòں룬 /etc/services еơ
   
   Щѡķ֮ͬƷʣϸǸϸеֲ
   manual page (man iptables)
   
6. ̸̸Ҫ Mangle 

   ڣ֪ȥѡЩҪ mangle ķΪҪǵĹ
   Ҫ׼ȷĸߺģʲҪԷġ
   
6.1 Source NAT

   Ҫ Source NATҪȥߵԴַɱʲġҪ
   Ҫͳȥ֮ǰ POSTROUTING ˣһǳҪϸڣΪ
   ζ Linux ϵ (routing, packet filtering)
   ֻǸûıķͬʱҲ˵`-o' () ѡ
   óˡ
   
   Source NAT  `-j SNAT' ָģͬʱ `--to source' ָһ IP
   ַһ IP ַԼһѡĲڻһֵĲ(
   UDP  TCP Э)
   
## Change source addresses to 1.2.3.4.
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6

## Change source addresses to 1.2.3.4, ports 1-1023
# iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023

  αװ (Masquerading)
  
   һ Source NAT ֮αװֻ춶̬ IP ַ
   ׼Ĳ(þ̬ IP ַʹǰ֮ SNAT)
   
   ȷؽ masquerading ŽԴַȥʹ÷
   ΪԴַҪǣ(link)ϵĻ
   (connections޿ɱĽʧ) Ҳᱻµ IP ַ
   ʱͻˡ
   
## Masquerade everything out ppp0.
# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

6.2 Destination NAT

   һ룬 PREROUTING ɴҲ˵˸Լ
   (磺·ɡ) Ҫ͵ `' Ŀĵء⣬
    `-i' () ѡҲʹá
   
   Ҫ޸ıķ֮ĿĵصĻ OUTPUT Ϳˣ
   
   
   Destination NAT  `-j DNAT' ָʹãͬʱ `--to destination'
   ѡָһ IP ַһ IP ַԼѡһڻһβֵ
   (ֻ UDP  TCP Э)
   
## Change destination addresses to 5.6.7.8
# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8

## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.
# iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8-5.6.7.10

## Change destination addresses of web traffic to 5.6.7.8, port 8080.
# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 \
        -j DNAT --to 5.6.7.8:8080

## Redirect local packets to 1.2.3.4 to loopback.
# iptables -t nat -A OUTPUT -d 1.2.3.4 -j DNAT --to 127.0.0.1

  ص (Redirection)
  
    Destination NAT һرΣһ򵥵ıȫͬ춸
   ַ DNAT һ
   
## Send incoming port-80 web traffic to our squid (transparent) proxy
# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
        -j REDIRECT --to-port 3128

6.3 һӳ(Mappings)

    NAT ĽǴõġﲻЩȤ
   ̽һ£
   
  ͬһΧڵĸϵַ(Multiple Addresses)֮ѡ
  
   Ѿָһ IP ַ  IP ַʹѡǻ춻֪Ŀ
   ǰʹ֮ IPṩԭʼƽ⸺(load-balancing)
   
   NAT ӳ
  
   ʹ `-j ACCEPT' Ŀһͨƹ NAT Ĵ
   
  ׼ NAT Ϊ(Behaviour)
  
   ԤΪʹƶĹڣٵĸıߡ֮
   ѲҪӳ(remap)ڡ
   
  Դӳ
  
   ѾӳԵµߣһ NAT ˵Դ
   ڵתʱǱԴڵġǼһαװΣѾ
   ǳձˣ
   
    1. һҳһ̨ 192.1.1.1 Ļ port 1024 Ҫ
       www.netscape.com port 80
    2. αװԼ IP ַ(1.2.3.4)αװ
    3. ÷αװ 1.2.3.4 (ⲿַ) port 1024 һ
       ҳwww.netscape.com port 80
    4. Ȼ NAT ʽıڶߵԴΪ 1025߲
       (clash)
       
   ԴӳԴ֮ʱڱΪȼ
     * 512 µĲ
     * 512  1023 ֮Ĳ
     * 1024 ϵĲ
       
   κһڶᱻӳԵͬĵȼȥ
   
   NAT ʧЧʱ
  
   ûа취ûҪһ޶ӳߣ߾ͻᱻһ
   ܹ綨Ϊκߵʱ򣬽ҲһΪǿǻεģ
   ǸûĹˣࡣ
   
  ӳԡص(clash)
  
   趨 NAT ͬһΧ֮ӳԷNAT ʽԴȥ
   塣ȷ˵ 192.168.1.1  192.168.1.2 Դֱַ
   ӳԵ 1.2.3.4ȫеġ
   
   ӳԵʵġõ IP ַֻҪЩַͨӳ
   Сԣһ·(1.2.3.0/24)һڲ·ʹЩ
   ַһʹ˽еַ 192.168.1.0/24 Ϳ NAT Щ
   192.168.1.0/24 Դַ 1.2.3.0 ·֮ϣ赣壺
   
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \
        -j SNAT --to 1.2.3.0/24

   ͬЩ NAT ԼʹõĵַʵǷαװι
   (αװַ֮ `ʵ' ַ )
   
   ߣӳͬķ಻ͬĿ(targets)ȥǶ
   ǹġ磬ӳκζ 1.2.3.5 ȥ
   
# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \
        -j SNAT --to 1.2.3.0-1.2.3.4 --to 1.2.3.6-1.2.3.254

  ı䱾֮Ŀĵ
  
   ķ֮Ŀĵظı(磬 OUTPUT )ᵼ·
   ɲͬĽͳȥԴַҲΪǸ档˵ıһ
   (loopback)֮Ŀĵ eth0 ͳԴַҲ 127.0.0.1 
   eth0 ĵַԴַӳɵġȻЩ
   ӳڻӦʱǵߵġ
   
7. Э

   ЩЭǲҪ NAT ġÿһЭԣ
   (extension)ǱҪдģһǹЭ֮׷٣һʵ
    NAT
   
    netfilter ׼棬һЩ ftp ģ
   ip_conntrack_ftp.o  ip_nat_ftp.o Щ뵽ĺ(
   Եı)Ҫ ftp κ NAT ǿеġ
   Ļʹñģʽ ftpҪһЩ
    Source NAT ĻͿܲɿˡ
   
8. NAT һЩ (caveats)

   һ NAT ˫ (ʹ) ķҪͨ
   NAT У򲢲ɿ׷ٳʽƬ (fragments)ʱ
   Ҳ˵׷ٻ᲻ܣķͲͨΪ
   Ƭᱻ¡
   
9. Source NAT ·

   Ҫ SNATҪȷ SNAT ὫӦͻظ
   NAT 磬ӳĳЩԴַ 1.2.3.4 ֮ϣⲿ
   ·ͱ֪ҪӦ(ĿĵΪ 1.2.3.4 )ͻظ
   ·
   
    1. ҪԼĵַ(·ɺ) SNAT
       κζ
    2. Ҫһڱ·δʹõĵַ SNAT(磬ӳԵ
       1.2.3.0/24 ·ϵһ IP 1.2.3.99) NAT ҪӦ
       춸õַ ARP һԼһ򵥵ķǽ IP
       alias磺
       
# ip address add 1.2.3.99 dev eth0

    3. Ҫһȫͬĵַ SNATҪȷ SNAT ִĻ
       ܹ·ɻظ NAT  NAT ǵԤբĻǿ
       ģҪ(advertize )һ·(·ЭĻ)
       ֹÿһ̨·ɡ
       
10. ͬһ·ϵ Destination NAT

   Ҫ portforwarding صͬһ·ҪȷǰͻӦ˫
    NAT (ǲܱ޸)NAT ʽڿʼ(2.4.0-test6
   )ᵲĴ ICMP صЩѾ NAT ķ
   ͬ洫նŷԳֱӻӦͻ(ϿɸûӦ)
   
   
   ڲԱӵ `(public)' վŷʵ
   ӹеַ(1.2.3.4) DNAT һڲĻ(192.168.1.1)ȥ
   
# iptables -t nat -A PREROUTING -d 1.2.3.4 \
        -p tcp --dport 80 -j DNAT --to 192.168.1.1

   һһ̨ڲ DNS ŷ֪Ĺվ(ڲ) IP ַ
   תⲿ DNS ŷ֮վŷļ¼
   ȷʾΪڲ IP ַ
   
   һͬʱ̨ NAT õ֮Դ IP ַӳΪԼ
   ַǿ( NAT ֮ڲ IP ַΪ
   192.168.1.250)
   
# iptables -t nat -A POSTROUTING -d 192.168.1.1 -s 192.168.1.0/24 \
        -p tcp --dport 80 -j SNAT --to 192.168.1.250

   Ϊ PREROUTING ִеģڲվŷԣѾ
   ˣǿڶĸΪԴ IP ַ
   
11. л

   ȸлҹڼ netfilter Ĺ벢֧ҵ WatchGuard 
   David Bonn
   
   Լָ NAT ֮ѣЩҵռǵġ
   
   Rusty.

References

   1. http://netfilter.filewatcher.org/
   2. http://www.samba.org/netfilter
   3. http://netfilter.kernelnotes.org/
   4. http://lists.samba.org/
