Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Using iptables achieve NAT     - CentOS 5.8 (64) Python 2.7.5 installation error resolved (Linux)

- Source code is installed MySQL 5.6.28 (Database)

- Linux find command usage practices (Linux)

- The specified user to execute commands under Linux (Linux)

- Security enhancements in Ubuntu ssh service (Linux)

- Lua regex (string function) (Programming)

- Apache Spark1.1.0 deployment and development environment to build (Server)

- Ubuntu Install OpenSSL (Linux)

- The Java ThreadLocal (Programming)

- Oracle Character Set Summary (Database)

- High-performance Linux system firewall detailed analysis of double-effect (Linux)

- Kubernetes cluster deployment (Server)

- CentOS yum configuration under local sources (Linux)

- Ubuntu 12.04 installation NVIDIA GTX750 graphics driver (Linux)

- Oracle Linux 6.4 installed Oracle 11gR2 + RAC + ASM (Database)

- Zabbix monitoring disk IO status (Server)

- Linux Getting Started Tutorial: How to set up a static MAC address on VMware ESXi virtual machine (Mobile)

- Linux operating process information (Linux)

- To install OwnCloud 7.0.4 under Ubuntu (Linux)

- LVM basic concepts, management (Linux)

  Using iptables achieve NAT
  Add Date : 2018-11-21      
  This article describes how to use the powerful iptbales implement NAT function under Linux2.4. Details about iptables syntax, refer to "implement with iptales package misplaced Firewall" article. Need to affirm that this article is definitely not a simple repetition of NAT-HOWTO or Chinese version, in the whole course of the narrative, the authors are trying to use their own language to express their understanding of their own thoughts.

I. Overview

1. What is NAT

In the traditional standard TCP / IP communication process, all routers merely act as an intermediary role, which is commonly referred to as store and forward, the router will not forward the data packets to be modified, more precisely, in addition to the source MAC address into the MAC address other than your own, the router will not forward a packet to make any changes. NAT (Network Address Translation Network Address Translation) is precisely for some special needs on the packet's source ip address, destination ip address, source port, destination port rewriting operation.

2. Why should NAT

Let's look again at what we need to do NAT.

Suppose an ISP providing Internet access service park, in order to facilitate the management of the ISP assigned IP address of the user to the park are pseudo-IP, but some users claim to build their own WWW server information released, this time we can come through NAT to provide such a service. We can legally bind multiple IP addresses on the firewall's external network adapter, which is then sent to one IP address on the internal packet forwarding to a user's WWW server via NAT technology, and then the internal WWW server response packet disguised as the legitimate IP packets sent.

Another example is the use of dial-up Internet, because there is only one legitimate IP address, it must use some other means to enable the machine to be the Internet, usually way using a proxy server, but the proxy server, in particular the application layer proxy, can support limited agreement, if over a period of time after a new service out there, you can only wait for the upgrade version of the proxy server to support new applications. If you use NAT to solve this problem,

Because it is processed in the application layer below, NAT can not only get a high access speed, and can seamlessly support any new services or applications.

There is one aspect of the application redirection, that is, when receiving a packet, the packet is not forwarded, but redirected to an application on the system. The most common application is in conjunction with squid and a transparent proxy for http traffic caching while can provide seamless access to the Internet.

3. NAT type

In Linux2.4 the NAT-HOWTO, the author from the perspective of the principle of the NAT is divided into two types, namely, source NAT (SNAT) and destination NAT (DNAT), as the name implies, it is called SNAT changes the source address of the packet forwarding, called DNAT is to change the destination address of the packet forwarding.

Second, the principle

In the "implementation package with iptales misplaced Firewall" in the article we said, netfilter is a Linux kernel in a common framework, which provides a series of "table" (tables), each table by a number of "chain" (chains) composed of , and each chain can be composed of one or several of the rules (rule). And the system default table is "filter". However, when using NAT table we use is no longer a "filter", but "nat" table, so we must use the "-t nat" option to explicitly specify this. Because the system default table is "filter", so when using the filter function, we do not need to explicitly specify the "-t filter".

Like with the filter table, nat table also has three default "chain" (chains), which is three chains container rules, they are:

PREROUTING: here can be defined destination NAT rules, because the purpose of checking the packet ip address of the router route only, so in order to make the data packets to be routed correctly, we have to be on the route before the destination NAT;

POSTROUTING: Here you can define the source NAT rule, the system determines the route packets after the chain rule execution.

OUTPUT: definition of the locally generated packet purpose NAT rules.

    Third, the operation syntax

As mentioned above, when using the iptables NAT function, we must use the "-t nat" specifies that the nat table shows in each rule. Then use the following options:

1. The operation of the rules

Join (append) a new rule to a chain (-A) in the final.

A position in the chain insert (insert) a new rule (-I), is usually inserted in the front.

Replace (replace) a rule (-R) at a position within the chain.

In a position within the chain remove (delete) a rule (-D).

Remove (delete) chain within the first rule (-D).

2. Specify the source and destination addresses

By --source / - to specify the source address src / -s (where / or representation, hereinafter the same), / by --destination - dst / -s to specify the destination address. You can use the following four methods to specify the ip address:

. A complete use of the domain name, such as "www.Linuxaid.com.cn";

. B using the ip address, such as "";

. C with x.x.x.x / x.x.x.x specify a network address, such as "";

d. with x.x.x.x / x to specify a network address, such as "" here shows 24 significant digits of the subnet mask, which is a method commonly used in UNIX environments.

The default subnet mask number is 32, that is equivalent to the specified

3. Specify the network interface

You can use --in-interface / -i or --out-interface / -o to specify the network interface. As can be seen from the principle of NAT, for PREROUTING chain, we can only specify the incoming network interface with -i; and for POSTROUTING and OUTPUT We can only go out of the network interface specified by -o.

4. Specify the protocol and port

You can specify the protocol --protocol / -p option, if it is tcp and udp agreement also --source-port / - sport and --destination-port / - dport to indicate the port.
Fourth, the preparatory work

1. Compile the kernel, compile-time checking the following options can be found in the specific "implementation package with iptales misplaced Firewall" article:

Full NAT

MASQUERADE target support

REDIRECT target support

2. To use NAT table, you must first load the relevant modules:

modprobe ip_tables

modprobe ip_nat_ftp

iptable_nat module automatically loaded at runtime.

    V. Example

1. Source NAT (SNAT)

For example, change all the packets from source ip address

iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to

It should be noted that the system when processing such as routing and misplaced until the packet is sent to perform SNAT.

There is a special case of SNAT is ip spoofing, also known as Masquerading, generally recommended when using a dial-up Internet use, or use in a legal ip address is not fixed. such as

# Iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

As can be seen, this time we do not need to explicitly specify the source ip address and other information.

2. The purpose of SNAT (DNAT)

For example, change all the destination address ip packets from the is

iptables -t nat -A PREROUTING -s -i eth1 -j DNAT --to

It should be noted that the system is to be DNAT, misplaced before routing and other operations.

There is a special case is the redirection of DNAT, also known as Redirection, this time is equivalent to the qualified data packet's destination address to the packet network ip ip address of the interface into the system when. Is usually used when the squid configured to form a transparent proxy, assuming squid listening port is 3128, I can by the following statement from the, destination port is 80 packets redirected to the squid monitor


iptables -t nat -A PREROUTING -i eth1 -p tcp -s --dport 80

-j REDIRECT --to-port 3128

  Comprehensively examples

1. Using LAN with Internet dial-up drive

Small businesses, Internet cafes and other multi-use dial-up internet access, usually possible to use a proxy, but considering the cost, and other factors that support the protocol, it is recommended to use ip spoofing way promote regional Internet network.

After successfully upgrading the kernel install iptables, and then execute the following script:

# Load the relevant module

modprobe ip_tables

modprobe ip_nat_ftp

# For ip masquerading

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

2. ip mapping

Suppose an ISP providing Internet access service park, in order to facilitate the management of the ISP assigned IP address of the user to the park are pseudo-IP, but some users claim to build their own WWW server released information. We can bind again on the firewall's external network adapter more than one legitimate IP address, which is then sent to an IP address of a packet is forwarded to a user's internal WWW server via ip mapping so, then the internal WWW server response packet disguised as the legitimate IP packets sent.

We assume the following scenario:

ip assigned to the ISP unit A www server is:


True ip:

ip that ISP assigned to B units www server are:


True ip:

Linux firewall ip address are:

Internal network interface eth1:

External interface eth0:

We will then be assigned to A, real ip B units bound to the firewall's external interface, as root execute the following command:

ifconfig eth0 add netmask

ifconfig eth0 add netmask

After successfully upgrading the kernel install iptables, and then execute the following script:

# Load the relevant module

modprobe ip_tables

modprobe ip_nat_ftp

First, the purpose of the firewall received ip and for all data packets purpose NAT (DNAT):

iptables -A PREROUTING -i eth0 -d -j DNAT --to

iptables -A PREROUTING -i eth0 -d -j DNAT --to

Second, the firewall received a packet source ip address and is the source NAT (SNAT):

iptables -A POSTROUTING -o eth0 -s -j SNAT --to

iptables -A POSTROUTING -o eth0 -s -j SNAT --to

Thus, for all purposes as and ip packet will be forwarded to and, respectively; and all from and packets will respectively be disguised by the and, thus also realized ip mapping.
- Linux software firewall ACL match point optimization (Linux)
- Android Dynamic efficiency articles: a brilliant Loading Analysis and Implementation (Programming)
- Cobbler remotely install CentOS system (Linux)
- RPM package management under Linux (Linux)
- How to install with JSON support in Ubuntu 15.04 SQLite 3.9.1 (Database)
- Ubuntu 14.04 installation and configuration environment variable JDK1.8.0_25 (Linux)
- MySQL Tutorial: Using tpcc-mysql pressure measurement (Database)
- CentOS NAT iptables (Linux)
- The minimum initial use of the Linux operating system RancherOS feelings (Linux)
- Use value type build better applications Swift (Programming)
- Debian installation (Linux)
- How to build Memcached Docker container (Server)
- Android realize RippleEffect water (Programming)
- Install the Solaris 10 operating system environment over the network to sparc (Linux)
- Linux systems for entry-learning - Install Go language in Linux (Linux)
- Using Linux strace command trace / debug a program commonly used options (Linux)
- Advanced Search Oracle study notes (Database)
- Windows 7 hard disk installation notes Debian (Linux)
- Redis application of Sina Weibo (Database)
- JavaScript function definition mode (Programming)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.