Network Address Translation
Made
by :- shashikant
For
computer's to communicate with each other, each and every computer
must have a unique address to send and receive data. If you do not
have a unique address other's will not be able to send data to you.
In IPv4 there are around 2^32 addresses, out of which 588514304
are for special purpose, which means we only have 2^32 -
588514304 unique public ip addresses.
Imagine an office in which you have
1000 computer's for the employees to work. If each of them needs to
communicate with hosts in the internet, assigning a unique public ip
address to each of them will be idiotic and will also be a waste of
internet resource.
Also sometimes you want to hide your
internal network address details from the publicly available
internet, for security reasons. NAT is a solution that was made to
solve these problems.
What is NAT ?
The name
itself suggests that it does a translation of addresses. IP address
can be translated to another with the help of NAT. The primary job of
a NAT device is to rewrite the source and destination address of an
IP packet.
There are
hardware devices that does this job, but we will be doing this with
the help of a Linux system.
Here is my considerations:
Hotsname :-
nat.shashi.com
WAN = eth0 with public IP 10.30.138.78 /
255.255.224.0
LAN = eth1 with private IP 192.168.0.100 / 255.255.255.0
LAN = eth1 with private IP 192.168.0.100 / 255.255.255.0
Step by Step Procedure
Step 1.Add 2 Network cards to the Linux Server.
Step 2.Verify the Network cards, Wether they installed properly or not.
# ls /etc/sysconfig/network-scripts/ifcfg-eth* |
wc -l
The output should be "2"
Step 3.Configure eth0 for Internet with a Public ( IP External network or Internet).
cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
BROADCAST=10.0.2.255 # Optional Entry
HWADDR=00:50:BA:88:72:D4 # Optional Entry
IPADDR=10.30.138.11
NETMASK=255.255.254.0 # Provided by the ISP
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
GATEWAY=10.0.2.2 # Provided by the ISP
BOOTPROTO=none
BROADCAST=10.0.2.255 # Optional Entry
HWADDR=00:50:BA:88:72:D4 # Optional Entry
IPADDR=10.30.138.11
NETMASK=255.255.254.0 # Provided by the ISP
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
GATEWAY=10.0.2.2 # Provided by the ISP
Step 4.Configure eth1 for LAN with a Private IP (Internal private network).
cat /etc/sysconfig/network-scripts/ifcfg-eth1
BOOTPROTO=none
PEERDNS=yes
HWADDR=00:50:8B:CF:9C:05 # Optional
TYPE=Ethernet
IPV6INIT=no
DEVICE=eth1
NETMASK=255.255.255.0 # Specify based on your requirement
BROADCAST=""
IPADDR=192.168.0.100 # Gateway of the LAN
USERCTL=no
ONBOOT=yes
PEERDNS=yes
HWADDR=00:50:8B:CF:9C:05 # Optional
TYPE=Ethernet
IPV6INIT=no
DEVICE=eth1
NETMASK=255.255.255.0 # Specify based on your requirement
BROADCAST=""
IPADDR=192.168.0.100 # Gateway of the LAN
USERCTL=no
ONBOOT=yes
Step 5.Host Configuration (Optional).
# cat /etc/hosts
127.0.0.1 nat.shashi.com localhost.localdomain
localhost
# cat /etc/reslove.conf
nameserver 10.0.2.2
Step 6.Gateway Configuration.
# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=nat.shashi.com
GATEWAY=10.0.2.2 # Internet Gateway, provided by the ISP
HOSTNAME=nat.shashi.com
GATEWAY=10.0.2.2 # Internet Gateway, provided by the ISP
Step 7.DNS Configuration.
# cat /etc/resolv.conf
nameserver 10.0.2.2 # Primary DNS Server provided
by the ISP
Step 8.NAT configuration with IP Tables.
Delete and flush. Default table is "filter".
Others like "nat" must be explicitly stated.
# iptables --flush {Flush all the rules in filter
and nat tables}
# iptables --table nat --flush
# iptables --delete-chain
Delete all chains that are not in default
filter and nat table :-
# iptables --table nat --delete-chain
Step9.Check nat tables :-
# iptables -t nat -L
Step10.Set up IP FORWARDing and Masquerading
# iptables --table nat --append POSTROUTING
--out-interface eth0 -j MASQUERADE
# iptables --append FORWARD --in-interface eth1 -j
ACCEPT
# iptables --append FORWARD --out-interface eth1 -j ACCEPT
# iptables --append FORWARD --out-interface eth1 -j ACCEPT
Step11.Enables packet forwarding by kernel
# echo 1 > /proc/sys/net/ipv4/ip_forward
Step12.Apply the configuration
# service iptables save
# service iptables restart
Step13.Check Connection Traching Table :-
Let's
see some example entries from a connection tracking table in Linux.
This connection tracking information in Linux is stored in
/proc/net/ip_conntrack (An important fact to note
here is that these connection tracking tables are stored in /proc
file system. Which means its stored in RAM for faster access.)
#
cat /proc/net/ip_conntrack
cat:
/proc/net/ip_conntrack: No such file or directory
oops!!
i dont have that file in my system. That's because, the kernel module
that does the connection tracking is not loaded. So lets load that
kernel module with the help of modprobe comm
#
modprobe ip_conntrack
# iptables -D chain-name line-no {You can
delete chain}
# iptables -D INPUT 2
Step 14.Testing from client system
IP :-192.168.0.102
Sub :-255.255.255.0
Gateway :-192.168.0.100
DNS :-10.0.2.2
Step15.
Entery
DNS Ip :-
# vim /etc/reslove.conf
search example.com # nat hostname
nameserver 10.0.2.2 # Provided by the ISP -DNS
Step16.Try it on your client systems
# route -n
Destination Gateway Genmask
Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U
0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0
U 0 0 0 eth0
0.0.0.0 192.168.0.100 0.0.0.0 UG 0
0 0 eth0
# ping 192.168.0.100
# ping google.com
@@@@@@@##################@@@@@@@@###################@@@@@@@@
No comments:
Post a Comment