0.1 Network Address Translation (NAT)

NAT is the process of forwarding/modifiying IP packets through a router that connects two IP networks and at least one of them is a private network. This chapter shows how to configure a Linux host with two o more network adapters to perform NAT-ing. By now, this guide also supposes that your kernel is properly configured for the use of Iptables.

0.1.1 Why private networks?

In the most part of the cases a host connected to the Internet only establish connections with other hosts. In the networking slang, we called to this kind of hosts¹ clients and servers to the others. Due to that in the connection packets a server process can find the IP address and the port (the end-point) of the client process, these values do not need to be previously defined.

Two end-points are different if the IP address and/or the port are different. This means that a host can run up to 2¹⁶ proccesses. When these processes do not run only in one host but in a IP network, and the router that connects this network to the Internet also perform address translation, changing the source end-point of each packet that comes from this network for a public IP address and a different por for each different connection, we say that the router is doing NAT-ing or that the router is, in fact, a NAT.

The advantage of this architecture is evident: up to 2¹⁵ processes that run up to 2¹⁶ hosts can establish connections using only one (public) IP address. From the Internet prespective, the NAT box is seen such as a big host that runs up to 2¹⁶ processes.

0.1.2 Private IPv4 addresses

0.1.3 Netfilter

Netfilter [1] is open-source project devoted to develope an extension (module) for the Linux kernel. It uses the utilily called iptables [2], also developed by the Netfilter team.

0.1.4 Tables, chains and rules

In iptables there are 4 tables, each with a specific purpose:

1. nat: Stores the chains developed to perform the NAT of packets. This table is only consulted when a packet created a new connection.
2. raw: Contains the chains that mark the packets that should not be handled by the connection tracking system.²
3. mangle: Defines the chains related to specialized pacjet alteration such as the modification of the TOS (Type of Service) bits, the TTL, the protocol ... all of them fields of the IP header.
4. filter: Stores the chains designed to filter packets. This is the default table if no other table is specifically requested in a iptable interaction.

Each chain is a list of rules and specifies that to do with a packet that matches. For example, to see the chains that are defined in the nat table, use the following command:³

New tables can be defined. As you can see in the last example, default tables contains a set of built-in chains, althought user-defined chains can be also created.

0.1.5 The default nat chains

1. The PREROUTING chain: This chain is applied to each packet that arrives at a network interface.
2. The POSTROUTING chain: This chain is applied to each packet that leaves through a network interface.
3. The INPUT chain:
4. The OUTPUT chain: This chain is applied to those packets that have been created by a proccess in the machine and go to a proccess in a different host.

0.1.6 A Linux NAT box creation

Configure the network adapters To perform NATing two adapters are neccesary. One of them will be connected to the private network (in our examples, this is the eth1 device) and the otter will be connected to the Internet (the wlan1 device).

Enable IP-forwarding in the kernel

Enable packet NAT-ing Those packets that leaves the NAT box towards the Internet must have the IP of the public network adaptor (wlan1):

Bibliography