NAT = Network Address Translation
Mean that all traffics from your networks behind the firewall will be appear on the internet as if as it is only originated form a single ip address.
The masquerade IP address always defaults to the IP address of the firewall’s main interface. It will be easier for you to configure iptables NAT with DHCP because you don’t have to specify the NAT IP address.
Masquerade needs iptables_nat module and IP forwarding = enabled to run.
Step 1. Load the iptables_nat module
taufanlubis@zyrex:~$ sudo modprobe -a iptable_nat
or
put at /etc/rc.local
modprobe -a iptable_nat
Check if it’s already uploaded.
root@zyrex:/home/taufanlubis# sudo modprobe -l | grep iptable_nat
/lib/modules/2.6.20-16-generic/kernel/net/ipv4/netfilter/iptable_nat.ko
root@zyrex:/home/taufanlubis#
Step 2. Enable routing by modifying the ip_forward at /proc/sys/net/ipv4 from value ‘0’ to ‘1’.
0 = disable/ 1=enable
taufanlubis@zyrex:~$ su root
Password:
root@zyrex:/home/taufanlubis# echo 1 > /proc/sys/net/ipv4/ip_forward
Check the value.
root@zyrex:/home/taufanlubis# cat /proc/sys/net/ipv4/ip_forward
1
root@zyrex:/home/taufanlubis#
Step 3. Allow masquerading
Let’s try a case.
You have 2 interface in your router.
eth0 is the internet interface
eth1 is the private network interface
If you configure your firewall to do masquerading, you should use the ip address from eth1 as a default gateway for all your severs on the network.
taufanlubis@zyrex:~$ sudo iptables -A POSTROUTING -t nat -s 192.168.0.1/24 -o et
h0 -d 0/0 -j MASQUERADE
taufanlubis@zyrex:~$ sudo iptables -A FORWARD -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
taufanlubis@zyrex:~$ sudo iptables -A FORWARD -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
After ‘network address translation table‘ from ‘ip 192.168.0.1-192.168.0.254 destined to any ip address‘ are masqueraded, the packets then are routed via the filter table’s FORWARD chain.
Allowed outbound: New, established and related connections
Allowed inbound: Established and related connections
Check the iptables’ rules again.
taufanlubis@zyrex:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT 0 — anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT 0 — anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
taufanlubis@zyrex:~$
You will not see the POSTROUTING chain rule because the ‘iptables rules‘ displays INPUT, FORWARD and OUTPUT information only.
Leave a Reply