Linux Networking HOWTO - DocBook Rev .02 | ||
---|---|---|
Prev | Chapter 8. Advanced Networking with Kernel 2.2 | Next |
The IP Network Address Translation facility is pretty much the standardized big brother of the Linux IP Masquerade facility. It is specified in some detail in RFC-1631 at your nearest RFC archive. NAT provides features that IP-Masquerade does not that make it eminently more suitable for use in corporate firewall router designs and larger scale installations.
An alpha implementation of NAT for Linux 2.0.29 kernel has been developed by Michael.Hasenstein, Michael.Hasenstein@informatik.tu-chemnitz.de. Michaels documentation and implementation are available from:
Linux IP Network Address Web Page
The much improved TCP/IP stack of Linux 2.2 kernel has NAT functionality built-in. This facility seems to obsolete the work by Michael Hasenstein (Michael.Hasenstein@informatik.tu-chemnitz.de).
To get it work you need kernel with enabled CONFIG_IP_ADVANCED_ROUTER, CONFIG_IP_MULTIPLE_TABLES (aka policy routing) and CONFIG_IP_ROUTE_NAT (aka fast NAT). Also, if you want to use finer grained NAT rules, you may also want to turn on firewalling (CONFIG_IP_FIREWALL) and CONFIG_IP_ROUTE_FWMARK. To actually operate these kernel features you will need the "ip" program by Alexey Kuznyetsov from ftp://ftp.inr.ac.ru/ip-routing/.
Incoming datagrams NAT
Now, to translate addresses of incoming datagrams, following command is used:
ip route add nat <ext-addr>[/<masklen>] via <int-addr> |
This will make incoming packet destined to "ext-addr" (the address visible from outside internet) to have its destination address field rewritten to "int-addr" (the address in your internal network, behind your gateway/firewall). The packet is then routed further according local routing table. You can translate either single host addresses, or complete blocks. Examples:
ip route add nat 195.113.148.34 via 192.168.0.2 ip route add nat 195.113.148.32/27 via 192.168.0.0 |
First command will make internal address 192.168.0.2 accessible as 195.113.148.34. The second example shows remapping block 192.168.0.0-31 to 195.113.148.32-63.