To transparently make one set of IP addresses appear to be another set to external eyes
Manipulate the source/dest of outgoing packets, and the dest/source of incoming packets
I call them DNAT and SNAT.
To map an entire network onto one IP address, eg. dialup
- SNAT (masquerading)
To forward certain connections to servers with private addresses
- DNAT (port forwarding)
To distribute load over several machines
- DNAT (load balancing)
Special effects...
The Linux routing code has simple NAT capability
- Use `ip route nat' to control one-way mapping of IP addresses
- See IP Reference Manual in iproute2 distribution
ip route add nat 192.203.80.192/26 via 193.233.7.64 ip route add prio 320 from 193.233.7.64/26 nat 192.203.80.192/26
On top of netfilter is built full Network Address Port Translation
- Requires connection tracking: keeps state
- Hence all packets must pass through this box
- Doesn't alter routing tables/advertisements
Advantage is that we are not limited to static N:N translations: we can compress address space.
We can also do more complex protocol manipulations (eg FTP).
To do full, dynamic translation with port translation, connections must be tracked.
Hence the NAT on top of netfilter hooks in after connection tracking
- Packets which aren't tracked will be dropped!
Packet filtering and NAT don't interfere with each other.
- DNAT happens before routing and packet filtering
- SNAT happens after routing and packet filtering
`Real' network addresses visible.
- Packet filtering never sees masquerading.
- Packet filtering always sees port forwarding.
To add NAT to above example:
insmod ip_nat.o && insmod ip_nat_ftp.o iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source $PPP_ADDR
Port-forwarding onto the same network: do SNAT as well.
Only use `MASQUERADE' target for dynamically-addressed interfaces
- Forgets all connections when interface goes down.
Unknown protocols will only work for unique src/dst/proto combinations
NAT gives you new power to screw over your network
NAT breaks end-to-end
NAT doesn't work on some protocols without helpers
NAT is very popular for home networks w/ dynamic dialups