Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

How to use IpTable- for implementing different types of NAT
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
RaMs39
n00b
n00b


Joined: 06 May 2010
Posts: 2
PostPosted: Thu May 06, 2010 9:43 am    Post subject: How to use IpTable- for implementing different types of NAT Reply with quote
Hi

If anybody worked on Iptables,please help me in implementing each type of NAT
-Full Cone NAT
-Restricted Cone NAT
-Port Restricted Cone NAT
-Symmetric NAT

using IPTables.


Expalnation:

Full Cone: A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address.

Restricted Cone: A restricted cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X.

Port Restricted Cone: A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P.

Symmetric: A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.


On the netfilter mailinglist, Pedro Gonçalves suggested the following:

192.168.2.170 is "public" address and 10.0.0.1 is "private" address

/-"Full Cone NAT", with the following rules:/

Quote:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170

iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 10.0.0.1
/-"Port Restricted Cone NAT", with just a single rule:/

Quote:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170

Please help me in implementing other NAT types.



Thanks in advance,
RaMs
Back to top
View user's profile Send private message
erik258
Advocate
Advocate


Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
PostPosted: Thu May 06, 2010 7:23 pm    Post subject: Reply with quote
I think the wikipedia page makes those distinctions a little clearer:
http://en.wikipedia.org/wiki/Network_address_translation#Types_of_NAT
I will be working on these definitions, which I take to be equivalent to yours.

I disagree with Pedro Gonçalves's rules. In the Full Cone NAT rules he provides, he doesn't match ports, and so it seems as though all traffic coming in on eth0 would be forwarded through to 10.0.0.1 and all traffic leaving eth0 would be SNAT sourced from 192.168.2.170, regardless of port. The specifications specifically mention a particular port.

I also expanded on Pedro Gonçalves's naming convention by adding interface names and host names:
Public, 192.168.2.170, $EXTIF, router.network
Private, 10.0.0.1, $INTIF, inner.network
Port is $P in all cases (although it wouldn't have to be).

The way I comprehend the question, a port number $P is given and must be a part of the rules.

I don't think these rules are perfect; I'm the least sure about the restricted cones. Nevertheless I think it will move you in the right direction.

Full cone NAT
this covers outgoing traffic which should be rewritten to appear to come from router.network:$P. 1 ea. for UDP, TCP
Code:
iptables -t nat POSTROUTING -o $EXTIF -p tcp --sport $P -j SNAT --to-source 192.168.2.170
iptables -t nat POSTROUTING -o $EXTIF  -p udp --sport $P -j SNAT --to-source 92.168.2.170

now we need the reverse direction, incoming traffic on $P is forwarded to 10.0.0.1
Code:
iptables -t nat PREROUTING -i $EXTIF -p tcp --dport $P -j DNAT --to-destination 10.0.0.1
iptables -t nat PREROUTING -i $EXTIF -p udp --dport $P -j DNAT --to-destination 10.0.0.1


[Address] Restricted Cone Nat
Here we reject incoming packets that aren't already established. First we need the rules above. Then we need an INPUT rule that will match incoming connections on $EXTIF:$P
and accept only those which are connected already. Thus the connection must be instigated by inner.network.
Code:

# previous rules
iptables -t nat POSTROUTING -o $EXTIF -p tcp --sport $P -j SNAT --to-source 192.168.2.170
iptables -t nat POSTROUTING -o $EXTIF  -p udp --sport $P -j SNAT --to-source 92.168.2.170
iptables -t nat PREROUTING -i $EXTIF -p tcp --dport $P -j DNAT --to-destination 10.0.0.1
iptables -t nat PREROUTING -i $EXTIF -p udp --dport $P -j DNAT --to-destination 10.0.0.1
# FILTER rules to drop, rather than forward, new connections
# we accept already established connections (These are only necessary if default policy is not ACCEPT)
iptables -A INPUT -i $EXTIF -p tcp --dport $P -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp --dport $P -m state --state ESTABLISHED,RELATED -j ACCEPT
# now rules to drop the packets otherwise (only necessary if default policy is not DROP)
iptables -A INPUT -i $EXTIF -p tcp --dport $P -m state --state NEW -j DROP
iptables -A INPUT -i $EXTIF -p udp --dport $P -m state --state NEW -j DROP


Port Restricted Cone Nat
This is the same as the above, except we also check the source port on the INPUT chain.
Code:

# previous rules
iptables -t nat POSTROUTING -o $EXTIF -p tcp --sport $P -j SNAT --to-source 192.168.2.170
iptables -t nat POSTROUTING -o $EXTIF  -p udp --sport $P -j SNAT --to-source 92.168.2.170
iptables -t nat PREROUTING -i $EXTIF -p tcp --dport $P -j DNAT --to-destination 10.0.0.1
iptables -t nat PREROUTING -i $EXTIF -p udp --dport $P -j DNAT --to-destination 10.0.0.1
# FILTER rules to drop, rather than forward, new connections
# we accept already established connections (These are only necessary if default policy is not ACCEPT)
iptables -A INPUT -i $EXTIF -p tcp --sport $P --dport $P -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -p udp --sport $P --dport $P -m state --state ESTABLISHED,RELATED -j ACCEPT
# now rules to drop the packets otherwise (only necessary if default policy is not DROP)
iptables -A INPUT -i $EXTIF -p tcp --dport $P -m state --state NEW -j DROP
iptables -A INPUT -i $EXTIF -p udp --dport $P -m state --state NEW -j DROP


Symmetric NAT
It seems that this could be called 'Full Nat' or 'Masquerading'. New connections are never forwarded through router.network to inner.network, but new connections are dynamically mapped to ports on $EXTIF. This is pretty complicated, but the iptables rule is very easy.
Code:

# no other rules are required for this. 
iptables -t nat -I POSTROUTING -s 10.0.0.1 -o $EXTIF  -j MASQUERADE

_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit!
Back to top
View user's profile Send private message
RaMs39
n00b
n00b


Joined: 06 May 2010
Posts: 2
PostPosted: Fri May 07, 2010 10:08 am    Post subject: Reply with quote
Thank u so much erik. :)

The wikipedia page was very helpful.I will be trying these NAT scenarios with my set-up.


Thanks,
RaMs
Back to top
View user's profile Send private message
erik258
Advocate
Advocate


Joined: 12 Apr 2005
Posts: 2650
Location: Twin Cities, Minnesota, USA
PostPosted: Fri May 07, 2010 7:47 pm    Post subject: Reply with quote
Hey, if this is for school, I would certainly appreciate knowing how far off I was.
_________________
Configuring a Firewall? Try my iptables configuration
LinuxCommando.com is my blog for linux-related scraps and tidbits. Stop by for a visit!
Back to top
View user's profile Send private message
maadi77
n00b
n00b


Joined: 01 Jun 2010
Posts: 1
PostPosted: Tue Jun 01, 2010 3:19 pm    Post subject: Reply with quote
erik,

The assumption you've made that "given the port#" may not be the case all the time. RFC 4787 doesnt mention anything about port# given apriori. I have been wondering how can the full cone implementation be done with just using the iptables/netfilter and no port# given.

Went through the latest kernel release 2.6.34 (netfilter code), and I don't see any of the cone implementations done. Even nefilter.org is not talking about any exisiting extensions available for iptable (some thing on the lines of --mode: fullcone/restricted/portrestricted) :--(

Have you heard of any netfilter kernel patches (with iptables extension) available to support the NAT variations? Highly appreciate your suggestions. Thanks

/Mahadeva
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy