NAT is the process of forwarding/modifiying IP packets through a router that connects two IP networks and at least one of them is a private network. This chapter shows how to configure a Linux host with two o more network adapters to perform NAT-ing. By now, this guide also supposes that your kernel is properly configured for the use of Iptables.
In the most part of the cases a host connected to the Internet only establish connections with other hosts. In the networking slang, we called to this kind of hosts1 clients and servers to the others. Due to that in the connection packets a server process can find the IP address and the port (the end-point) of the client process, these values do not need to be previously defined.
Two end-points are different if the IP address and/or the port are different. This means that a host can run up to 216 proccesses. When these processes do not run only in one host but in a IP network, and the router that connects this network to the Internet also perform address translation, changing the source end-point of each packet that comes from this network for a public IP address and a different por for each different connection, we say that the router is doing NAT-ing or that the router is, in fact, a NAT.
The advantage of this architecture is evident: up to 215 processes that run up to 216 hosts can establish connections using only one (public) IP address. From the Internet prespective, the NAT box is seen such as a big host that runs up to 216 processes.
First address | Last address | Network definition | Network size |
10.0.0.0 | 10.255.255.255 | 10.0.0.0/8 | 224 adapters |
172.16.0.0 | 172.31.255.255 | 172.16.0.0/12 | 220 adapters |
192.168.0.0 | 192.168.255.255 | 216 adapters |
Netfilter [1] is open-source project devoted to develope an extension (module) for the Linux kernel. It uses the utilily called iptables [2], also developed by the Netfilter team.
In iptables there are 4 tables, each with a specific purpose:
Each chain is a list of rules and specifies that to do with a packet that matches. For example, to see the chains that are defined in the nat table, use the following command:3
New tables can be defined. As you can see in the last example, default tables contains a set of built-in chains, althought user-defined chains can be also created.
Configure the network adapters To perform NATing two adapters are neccesary. One of them will be connected to the private network (in our examples, this is the eth1 device) and the otter will be connected to the Internet (the wlan1 device).
Enable IP-forwarding in the kernel
Enable packet NAT-ing Those packets that leaves the NAT box towards the Internet must have the IP of the public network adaptor (wlan1):
[1] Netfilter.org. http://www.netfilter.org.
[2] Oskar Andreasson. Iptables tutorial. http://www.frozentux.net/documents/iptables-tutorial.