Network Address Translation (NAT) is the method of remapping once IP address space into another by modifying network address information stored in an IP packet’s header while they are in transit across a routing device. NAT was initially used as a tool to conserve global address space in the face of rapid IPv4 address exhaustion, so one internet-routeable IP address of a NAT gateway can be used for an entire private network.
IP masquerading is a process where one machine acts as an IP gateway for a network. All devices on that network send their packets through the gateway, which replaces the source IP address with its own address and then forwards them to the Internet. Any hosts on the Internet which would want to reply (send a packet back to the source) must send it to the gateway. The gateway replaces the destination address with the IP address of the machine which is being masqueraded and forwards that packet on the local network to the device.
Before we go any further, we should learn a bit about packets and attributes and take a look at netfilter/iptables. A detailed description of IP packets can be found here https://en.wikipedia.org/wiki/IPv4#Packet_structure
We will focus on the fields Source Address and Destination Address because they contain, as the name suggests, the IP addresses of the source and destination devices.
Once an IP packet is received, that device has to assign the data to a process, which is the role of the transport layer. Each networking process uses a port number/numbers. For example, SSH uses port 22, HTTP uses port 80, HTTPS uses port 443 and so on. We will provide a link to a list of well know applications and ports they use:https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports
The combination of IP address and port number is called a socket and they are unique. In this case, connections are defined by their endpoints, a device/host sends data from its socket to the server socket and vice versa.
The Linux kernel comes with a packet filtering application named netfilter. It supplies the functions necessary to allow, drop and modify network traffic leaving and entering a system. Iptables builds upon this functionality to provide a firewall, which an administrator can configure by adding/removing/modifying rules.
iptables is a command line interface to netfilter. The filtering mechanisms provided by iptables is organized into three structures: tables, chains and targets.
These tables have chains attached to them, which allow you to inspect network traffic at certain points. When a packet arrives or leaves, iptables matches it against rules in these chain one-by-one. If it finds a match, it jumps onto the target and performs the associated action.
There are four tables:
- filter : it is the default table. It is used to decide if a packet should be allowed to reach its destination
- mangle : table that allows the alteration of packet headers
- nat : allows the routing of packets to different hosts on NAT networks. This is done by changing the source and destination addresses
- raw : allows the alteration of a packet before the kernel starts tracking its state
Chains allows filtering of packets at various points. Below you can find a list of chains provided by iptables:
- PREROUTING : rules apply to packets as they arrive on the network interface. Present in nat, mangle, raw tables
- INPUT : rules apply before packets are given to a local process. Present in mangle, filter tables
- OUTPUT : rules apply to packets just after they’ve been produced by a process. Present in raw, mangle, nat, filter tables
- FORWARD : rules apply to packets that are routed through the current device. Present in mangle, filter tables
- POSTROUTING : rules apply to packets as they leave the network interface. Present in mangle, filter tables
Targets decide what to do with packets after they have been filtered. The most common targets are:
- ACCEPT : causes iptables to accept the packet
- DROP : causes iptables to drop the packet
- REJECT : causes iptables to reject the packet, sending a connection reset packet in case of TCP or a destination host unreachable packet in case of UDP/ICMP
- MASQUERADE : masks the private IP address of a node with the external IP address of the router/gateway
Following are a few examples on how to use iptables.
Blocking an IP
This is one of the most common uses of a firewall. Lets assume that an IP, 220.127.116.11, is trying to attack your server. To block packets from this IP, add the following rule to the INPUT chain of the filter table:
iptables -t filter -A INPUT -s 18.104.22.168 -j REJECT
Lets look at the command and its arguments:
- t : specifies the table in which the rule goes
- A : append this rule to the list of already existing rules in the INPUT chain
- s : sets the source IP that should be blocked
- j : specifies the use of the REJET target
Block IP range
To do this, use the CIDR (classless inter-domain routing) notation:
iptables -A input -s 22.214.171.124/24 -j REJECT
Block output traffic
In this case, make use of the OUTPUT chain and the -d flag (destination IP):
iptables -A OUTPUT -d 126.96.36.199 -j DROP
Removing rules can be done by replacing the -A switch with -D (deletes a rule):
iptables -D INPUT -s 188.8.131.52 -j REJECT
It may be necessary at certain times to remove all rules in a chain. Instead of removing them one by one, use the -F switch, which flushes the chain
iptables -F INPUT
Connecting a private subnet to the Internet using NAT
The important rules regarding NAT are found the in nat table. The chains present in this table are : PREROUTING, OUTPUT, POSTROUTING. The PREROUTING and POSTROUTING chains are the most important ones. PREROUTING is responsible for packets that just arrived at the network interface, thus no routing decisions have been made. After passing this chain, the routing decision is made. If packets arriving at the network interface are intended for this machine, the packets will be directed to the corresponding process, no need to worry about NAT. But if the recipient is located on a sub-network connected to a different network interface, then the packets are forwarded to that interface. Before the packets leave the host, they are passes to the POSTROUTING chain and then leave through the network interface.
In the following example, I have set up two virtual machines, one (the frontend) has two network interfaces (enp0s3 – public interface ; enp0s8 – private interface).
Before we do any packet manipulation, we need to activate IP forwarding on the frontend. To do this, modify the file located at /proc/sys/net/ipv4/ip_forward :
echo “1” > /proc/sys/net/ipv4/ip_forward
Now we need to set the rules in iptables. We want to have the following scenario: packets arriving from the private interface must be modified such that the sender’s address is the same as the router’s/frontend address. In our example, enp0s3 is the public interface and enp0s8 is the private interface. In this case, the iptables file (located at /etc/sysconfig/iptables) should look similar:
You can either edit the iptables file or issue commands from a terminal, which will generate a similar file to one in Figure 3. To do so, you can run the following command:
iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
Lets look at the command and its arguments:
- iptables : the command line utility for configuring the kernel
- -t nat : select the nat table (NAT configurations are written here)
- -A POSTROUTING: append rule to the POSTROUTING chain
- -o enp0s3 : this rule applies to packets that leave the interface; -o stand for output
- -j MASQUERADE : the action that should take place is masquerade, which means that the sender’s ip address should be replaced with that of the router
The result is that we can now access the Internet from our private sub-network