Shashikant shah

Sunday, 19 January 2014

Linux NAT (Network Address Translation) On CentOS,RHEL


Network Address Translation
Made by :- shashikant
For computer's to communicate with each other, each and every computer must have a unique address to send and receive data. If you do not have a unique address other's will not be able to send data to you. In IPv4 there are around 2^32 addresses, out of which 588514304 are for special purpose, which means we only have 2^32 - 588514304 unique public ip addresses.
Imagine an office in which you have 1000 computer's for the employees to work. If each of them needs to communicate with hosts in the internet, assigning a unique public ip address to each of them will be idiotic and will also be a waste of internet resource.
Also sometimes you want to hide your internal network address details from the publicly available internet, for security reasons. NAT is a solution that was made to solve these problems.

What is NAT ?

The name itself suggests that it does a translation of addresses. IP address can be translated to another with the help of NAT. The primary job of a NAT device is to rewrite the source and destination address of an IP packet.
There are hardware devices that does this job, but we will be doing this with the help of a Linux system.
  

Here is my considerations:
Hotsname :- nat.shashi.com
WAN = eth0 with public IP 10.30.138.78 / 255.255.224.0
LAN = eth1 with private IP 192.168.0.100 / 255.255.255.0

Step by Step Procedure

Step 1.Add 2 Network cards to the Linux Server.

Step 2.Verify the Network cards, Wether they installed properly or not.
# ls /etc/sysconfig/network-scripts/ifcfg-eth* | wc -l
The output should be "2"

Step 3.Configure eth0 for Internet with a Public ( IP External network or Internet).
cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
BROADCAST=10.0.2.255 # Optional Entry
HWADDR=00:50:BA:88:72:D4 # Optional Entry
IPADDR=10.30.138.11
NETMASK=255.255.254.0 # Provided by the ISP
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
GATEWAY=10.0.2.2 # Provided by the ISP

Step 4.Configure eth1 for LAN with a Private IP (Internal private network).
cat /etc/sysconfig/network-scripts/ifcfg-eth1
BOOTPROTO=none
PEERDNS=yes
HWADDR=00:50:8B:CF:9C:05 # Optional
TYPE=Ethernet
IPV6INIT=no
DEVICE=eth1
NETMASK=255.255.255.0 # Specify based on your requirement
BROADCAST=""
IPADDR=192.168.0.100 # Gateway of the LAN
USERCTL=no
ONBOOT=yes

Step 5.Host Configuration (Optional).
# cat /etc/hosts
127.0.0.1 nat.shashi.com localhost.localdomain localhost
# cat /etc/reslove.conf
nameserver 10.0.2.2

Step 6.Gateway Configuration.
# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=nat.shashi.com
GATEWAY=10.0.2.2 # Internet Gateway, provided by the ISP

Step 7.DNS Configuration.
# cat /etc/resolv.conf
nameserver 10.0.2.2 # Primary DNS Server provided by the ISP

Step 8.NAT configuration with IP Tables.
Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated.
# iptables --flush {Flush all the rules in filter and nat tables}
# iptables --table nat --flush
# iptables --delete-chain
Delete all chains that are not in default filter and nat table :-
# iptables --table nat --delete-chain

Step9.Check nat tables :-
# iptables -t nat -L

Step10.Set up IP FORWARDing and Masquerading
# iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
# iptables --append FORWARD --in-interface eth1 -j ACCEPT
# iptables --append FORWARD --out-interface eth1 -j ACCEPT

Step11.Enables packet forwarding by kernel
# echo 1 > /proc/sys/net/ipv4/ip_forward

Step12.Apply the configuration
# service iptables save
# service iptables restart

Step13.Check Connection Traching Table :-
Let's see some example entries from a connection tracking table in Linux. This connection tracking information in Linux is stored in /proc/net/ip_conntrack (An important fact to note here is that these connection tracking tables are stored in /proc file system. Which means its stored in RAM for faster access.)

# cat /proc/net/ip_conntrack
cat: /proc/net/ip_conntrack: No such file or directory

oops!! i dont have that file in my system. That's because, the kernel module that does the connection tracking is not loaded. So lets load that kernel module with the help of modprobe comm

# modprobe ip_conntrack

# iptables -D chain-name line-no {You can delete chain}
# iptables -D INPUT 2

Step 14.Testing from client system
IP :-192.168.0.102
Sub :-255.255.255.0
Gateway :-192.168.0.100
DNS :-10.0.2.2

Step15.Entery DNS Ip :-
# vim /etc/reslove.conf
search example.com # nat hostname
nameserver 10.0.2.2 # Provided by the ISP -DNS

Step16.Try it on your client systems
# route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.0.100 0.0.0.0 UG 0 0 0 eth0

# ping 192.168.0.100
# ping google.com

@@@@@@@##################@@@@@@@@###################@@@@@@@@


No comments:

Post a Comment