Home IT Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Using iptables achieve NAT     - When Vim create Python scripts, vim autocomplete interpreter and encoding method (Programming)

- FastDFS installation and deployment (Server)

- Go performed using iOS and Android programming (Programming)

- MySQL management partition table (Database)

- How to Upgrade Ubuntu GNOME 14.10 to GNOME 3.16 Desktop (Linux)

- Linux Getting Started tutorial: Experience KVM Virtual Machine chapter (Linux)

- Reason C ++ program running under Linux a segmentation fault core dumped in (Programming)

- Kubuntu 14.04 desktop to the user how to upgrade KDE 4.13.2 (Linux)

- Change all child files and subdirectories in the owner permissions Ubuntu (Linux)

- Bash variable expansion modifier (Programming)

- To install the latest version of the EPEL on CentOS 5.x or 6.x (Linux)

- Linux Shell Scripting multithreading (Programming)

- Configuring DNS process under CentOS 6.5 (Server)

- Github inventory objects Algorithm (Linux)

- CentOS Linux build SVN server (Server)

- Java to create a table in the database SYBase (Database)

- Generic mechanism C11 standard (Programming)

- Setting up Linux machine through a proxy firewall (Linux)

- Enterprise Hadoop cluster architecture - NFS installation (Server)

- Oracle 12c users create (Database)

  Using iptables achieve NAT
  Add Date : 2018-11-21      
  This article describes how to use the powerful iptbales implement NAT function under Linux2.4. Details about iptables syntax, refer to "implement with iptales package misplaced Firewall" article. Need to affirm that this article is definitely not a simple repetition of NAT-HOWTO or Chinese version, in the whole course of the narrative, the authors are trying to use their own language to express their understanding of their own thoughts.

I. Overview

1. What is NAT

In the traditional standard TCP / IP communication process, all routers merely act as an intermediary role, which is commonly referred to as store and forward, the router will not forward the data packets to be modified, more precisely, in addition to the source MAC address into the MAC address other than your own, the router will not forward a packet to make any changes. NAT (Network Address Translation Network Address Translation) is precisely for some special needs on the packet's source ip address, destination ip address, source port, destination port rewriting operation.

2. Why should NAT

Let's look again at what we need to do NAT.

Suppose an ISP providing Internet access service park, in order to facilitate the management of the ISP assigned IP address of the user to the park are pseudo-IP, but some users claim to build their own WWW server information released, this time we can come through NAT to provide such a service. We can legally bind multiple IP addresses on the firewall's external network adapter, which is then sent to one IP address on the internal packet forwarding to a user's WWW server via NAT technology, and then the internal WWW server response packet disguised as the legitimate IP packets sent.

Another example is the use of dial-up Internet, because there is only one legitimate IP address, it must use some other means to enable the machine to be the Internet, usually way using a proxy server, but the proxy server, in particular the application layer proxy, can support limited agreement, if over a period of time after a new service out there, you can only wait for the upgrade version of the proxy server to support new applications. If you use NAT to solve this problem,

Because it is processed in the application layer below, NAT can not only get a high access speed, and can seamlessly support any new services or applications.

There is one aspect of the application redirection, that is, when receiving a packet, the packet is not forwarded, but redirected to an application on the system. The most common application is in conjunction with squid and a transparent proxy for http traffic caching while can provide seamless access to the Internet.

3. NAT type

In Linux2.4 the NAT-HOWTO, the author from the perspective of the principle of the NAT is divided into two types, namely, source NAT (SNAT) and destination NAT (DNAT), as the name implies, it is called SNAT changes the source address of the packet forwarding, called DNAT is to change the destination address of the packet forwarding.

Second, the principle

In the "implementation package with iptales misplaced Firewall" in the article we said, netfilter is a Linux kernel in a common framework, which provides a series of "table" (tables), each table by a number of "chain" (chains) composed of , and each chain can be composed of one or several of the rules (rule). And the system default table is "filter". However, when using NAT table we use is no longer a "filter", but "nat" table, so we must use the "-t nat" option to explicitly specify this. Because the system default table is "filter", so when using the filter function, we do not need to explicitly specify the "-t filter".

Like with the filter table, nat table also has three default "chain" (chains), which is three chains container rules, they are:

PREROUTING: here can be defined destination NAT rules, because the purpose of checking the packet ip address of the router route only, so in order to make the data packets to be routed correctly, we have to be on the route before the destination NAT;

POSTROUTING: Here you can define the source NAT rule, the system determines the route packets after the chain rule execution.

OUTPUT: definition of the locally generated packet purpose NAT rules.

    Third, the operation syntax

As mentioned above, when using the iptables NAT function, we must use the "-t nat" specifies that the nat table shows in each rule. Then use the following options:

1. The operation of the rules

Join (append) a new rule to a chain (-A) in the final.

A position in the chain insert (insert) a new rule (-I), is usually inserted in the front.

Replace (replace) a rule (-R) at a position within the chain.

In a position within the chain remove (delete) a rule (-D).

Remove (delete) chain within the first rule (-D).

2. Specify the source and destination addresses

By --source / - to specify the source address src / -s (where / or representation, hereinafter the same), / by --destination - dst / -s to specify the destination address. You can use the following four methods to specify the ip address:

. A complete use of the domain name, such as "www.Linuxaid.com.cn";

. B using the ip address, such as "";

. C with x.x.x.x / x.x.x.x specify a network address, such as "";

d. with x.x.x.x / x to specify a network address, such as "" here shows 24 significant digits of the subnet mask, which is a method commonly used in UNIX environments.

The default subnet mask number is 32, that is equivalent to the specified

3. Specify the network interface

You can use --in-interface / -i or --out-interface / -o to specify the network interface. As can be seen from the principle of NAT, for PREROUTING chain, we can only specify the incoming network interface with -i; and for POSTROUTING and OUTPUT We can only go out of the network interface specified by -o.

4. Specify the protocol and port

You can specify the protocol --protocol / -p option, if it is tcp and udp agreement also --source-port / - sport and --destination-port / - dport to indicate the port.
Fourth, the preparatory work

1. Compile the kernel, compile-time checking the following options can be found in the specific "implementation package with iptales misplaced Firewall" article:

Full NAT

MASQUERADE target support

REDIRECT target support

2. To use NAT table, you must first load the relevant modules:

modprobe ip_tables

modprobe ip_nat_ftp

iptable_nat module automatically loaded at runtime.

    V. Example

1. Source NAT (SNAT)

For example, change all the packets from source ip address

iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to

It should be noted that the system when processing such as routing and misplaced until the packet is sent to perform SNAT.

There is a special case of SNAT is ip spoofing, also known as Masquerading, generally recommended when using a dial-up Internet use, or use in a legal ip address is not fixed. such as

# Iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

As can be seen, this time we do not need to explicitly specify the source ip address and other information.

2. The purpose of SNAT (DNAT)

For example, change all the destination address ip packets from the is

iptables -t nat -A PREROUTING -s -i eth1 -j DNAT --to

It should be noted that the system is to be DNAT, misplaced before routing and other operations.

There is a special case is the redirection of DNAT, also known as Redirection, this time is equivalent to the qualified data packet's destination address to the packet network ip ip address of the interface into the system when. Is usually used when the squid configured to form a transparent proxy, assuming squid listening port is 3128, I can by the following statement from the, destination port is 80 packets redirected to the squid monitor


iptables -t nat -A PREROUTING -i eth1 -p tcp -s --dport 80

-j REDIRECT --to-port 3128

  Comprehensively examples

1. Using LAN with Internet dial-up drive

Small businesses, Internet cafes and other multi-use dial-up internet access, usually possible to use a proxy, but considering the cost, and other factors that support the protocol, it is recommended to use ip spoofing way promote regional Internet network.

After successfully upgrading the kernel install iptables, and then execute the following script:

# Load the relevant module

modprobe ip_tables

modprobe ip_nat_ftp

# For ip masquerading

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

2. ip mapping

Suppose an ISP providing Internet access service park, in order to facilitate the management of the ISP assigned IP address of the user to the park are pseudo-IP, but some users claim to build their own WWW server released information. We can bind again on the firewall's external network adapter more than one legitimate IP address, which is then sent to an IP address of a packet is forwarded to a user's internal WWW server via ip mapping so, then the internal WWW server response packet disguised as the legitimate IP packets sent.

We assume the following scenario:

ip assigned to the ISP unit A www server is:


True ip:

ip that ISP assigned to B units www server are:


True ip:

Linux firewall ip address are:

Internal network interface eth1:

External interface eth0:

We will then be assigned to A, real ip B units bound to the firewall's external interface, as root execute the following command:

ifconfig eth0 add netmask

ifconfig eth0 add netmask

After successfully upgrading the kernel install iptables, and then execute the following script:

# Load the relevant module

modprobe ip_tables

modprobe ip_nat_ftp

First, the purpose of the firewall received ip and for all data packets purpose NAT (DNAT):

iptables -A PREROUTING -i eth0 -d -j DNAT --to

iptables -A PREROUTING -i eth0 -d -j DNAT --to

Second, the firewall received a packet source ip address and is the source NAT (SNAT):

iptables -A POSTROUTING -o eth0 -s -j SNAT --to

iptables -A POSTROUTING -o eth0 -s -j SNAT --to

Thus, for all purposes as and ip packet will be forwarded to and, respectively; and all from and packets will respectively be disguised by the and, thus also realized ip mapping.
- Elaborate 10-point difference between the new and malloc (Programming)
- MySQL tmpdir parameter modification (Database)
- Qt for file splitting and fusion gadgets (Programming)
- Linux Basics Tutorial: create your own Vim IDE (Linux)
- Mumble installation source VoIP application on Ubuntu (Linux)
- Linux System Getting Started Tutorial: How to automatically set the JAVA_HOME environment variable on Linux (Linux)
- Oracle database with test data insertion speed (Database)
- Ubuntu Thunderbird 24.4.0 (Linux)
- Linux use additional rights (Linux)
- Articles do not resolve after opening under Ubuntu WordPress setting a fixed link (Server)
- Boost notes --Thread - problems encountered in the initial use on Ubuntu (Programming)
- NGINX Plus now fully supports HTTP / 2 (Server)
- Linux Operating System Security Management Experience (Linux)
- LAMP and LNMP automated installation scripts (Server)
- Element content of Java HashSet change issues (Programming)
- Open container cluster management system architecture and components introduced Kubernetes (Server)
- Linux iptables port mapping settings (Server)
- Empty password Linux operating system (Linux)
- C ++ function object (Programming)
- Build RubyMine + Ruby On Rails + MySQL development environment under Windows (Server)
  CopyRight 2002-2016 newfreesoft.com, All Rights Reserved.