Avanti Indietro Indice

5. NAT

5.1 The Idea

To transparently make one set of IP addresses appear to be another set to external eyes

Manipulate the source/dest of outgoing packets, and the dest/source of incoming packets

I call them DNAT and SNAT.

5.2 Why Would I Want To Do That

To map an entire network onto one IP address, eg. dialup

To forward certain connections to servers with private addresses

To distribute load over several machines

Special effects...

5.3 Dumb NAT vs Full NAT/NAPT

The Linux routing code has simple NAT capability

ip route add nat 192.203.80.192/26 via 193.233.7.64
ip route add prio 320 from 193.233.7.64/26 nat 192.203.80.192/26

On top of netfilter is built full Network Address Port Translation

Advantage is that we are not limited to static N:N translations: we can compress address space.

We can also do more complex protocol manipulations (eg FTP).

5.4 Full NAT

To do full, dynamic translation with port translation, connections must be tracked.

Hence the NAT on top of netfilter hooks in after connection tracking

5.5 With Packet Filtering

Packet filtering and NAT don't interfere with each other.

`Real' network addresses visible.

To add NAT to above example:

insmod ip_nat.o && insmod ip_nat_ftp.o
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source $PPP_ADDR

5.6 Common Traps

Port-forwarding onto the same network: do SNAT as well.

Only use `MASQUERADE' target for dynamically-addressed interfaces

Unknown protocols will only work for unique src/dst/proto combinations

5.7 Summary

NAT gives you new power to screw over your network

NAT breaks end-to-end

NAT doesn't work on some protocols without helpers

NAT is very popular for home networks w/ dynamic dialups


Avanti Indietro Indice                                 LINUXCARE