3.3 The <nat> section

The NAT section is used to define network address translation rules, these rules allow one to translate the source or destination IP address within packets. A common use for this is when a webserver is behind a firewall, requests are made to a globally routable IP address and translated to the internal IP address of the webserver and visa versa.

This section has the following syntax...

     <firewall>
     .
     .
     .
         <nat>
             <snat>
                 <rule name="traf_from_webserver"
                         to-src="<globally routable IP here>">
                     traffic_from_webserver
                 </rule>
             </snat>
             <dnat>
                 <rule name="traf_to_webserver" to-dst="192.168.1.100">
                     traffic_to_webserver
                 </rule>
             </dnat>
             <masq>
                 <rule name="traf_to_from_inside">
                     internal_dsl_ips
                 </rule>
             </masq>
         </nat>
     .
     .
     .
     </firewall>

There are 3 tags available, <snat>, <dnat> and <masq>, these three tags are used for source network address translation, destination address translation and masquerading respectively.

Valid options for these tags are as follows...

• Source network address translation using <snat>
  
  SNAT is used for source network address translation, an example of which is again a webserver behind a firewall. Where SNAT comes in handy is when the webserver makes a query through the firewall, instead of the traffic on the internet comming from the webservers internal IP 192.168.1.100 which is not going to work, the firewall translates 192.168.1.100 to a globally routable IP address.
  
  There are no parameters for this tag, although the following sub-tags and parameters are available...
  
  
  • Specify a rule with <rule> ... </rule>
    
    The <rule> tag is used to specify what classes apply to what rule, and are in order inserted into the actual iptables chains as iptables rules.

    The <rule> tag takes the following parameters...
    

    • name="..." - Optional name of rule
      
    • to-src"..." - Translate all traffic matched in the class specification to this source IP address.

    Between the opening and closing tags, classes defined in the <global> section are listed, these classify which traffic applies to which rule.
    
    Multiple classes can be listed, one per line.

  
  

• Destination network address translation using <dnat>
  
  DNAT is used for destination network address translation, an example of which is yet again a webserver behind a firewall. Where DNAT comes in handy is when requests are made to the webservers globally routable IP, this IP address is routed through the firewall and translated to the webservers internal IP address. Optional traffic filtering can be carried out on the traffic, this is in most instances the case and prevents alot of harmfull traffic from interferring with the webservers operation.
  
  There are no parameters for this tag, although the following sub-tags and parameters are available...
  
  
  • Specify a rule with <rule> ... </rule>
    
    The <rule> tag is used to specify what classes apply to what rule, and are in order inserted into the actual iptables chains as iptables rules.
    
    The <rule> tag takes the following parameters...
    
    • name="..." - Optional name of rule
      
    • to-dst"..." - Translate all traffic matched in the class specification to this destination IP address.
    
    Between the opening and closing tags, classes defined in the <global> section are listed, these classify which traffic applies to which rule.
    
    Multiple classes can be listed, one per line.

  
  

• Masquerading using <masq>
  
  Masquerading is normally used for source address translation in the scenario where you have a dynamic IP and never know what address to do the translation to. An example of which is a home PC acting as a DSL router.
  
  There are no parameters for this tag, although the following sub-tags and parameters are available...
  
  
  • Specify a rule with <rule> ... </rule>
    
    The <rule> tag is used to specify what classes apply to what rule, and are in order inserted into the actual iptables chains as iptables rules.

    The <rule> tag takes the following parameters...
    

    • name="..." - Optional name of rule
      
    • to-ports"..." - This specifies a range of source ports to use, overriding the default SNAT source port-selection heuristics. For this parameter to work you MUST have defined a protocol in all the classes specified. For example proto="tcp".

    Between the opening and closing tags, classes defined in the <global> section are listed, these classify which traffic applies to which rule.
    
    Multiple classes can be listed, one per line.

     <firewall>
         # Global configuration and access classes
         <global>
             <class name="traf_from_webserver">
                 <address src="192.168.0.100"/>
             </class>
             <class name="traf_to_webserver">
                 <address dst="<globally routable IP here>"/>
             </class>
         </global>
     
         # Network address translation
         <nat>
             <snat>
                 <rule to-src="<globally routable IP here>">
                     traf_from_webserver
                 </rule>
             </snat>
             <dnat>
                 <rule to-dst="192.168.0.100">
                     traf_to_webserver
                 </rule>
             </dnat>
         </nat>
     </firewall>

Here is an example if you pc is acting as a DSL router...

     <firewall>
         # Global configuration and access classes
         <global>
             <class name="traf_going_to_dsl">
                 <address src="192.168.0.0/24"/>
             </class>
         </global>
     
         # Network address translation
         <nat>
             <masq>
                 <rule name="masq_traffic_going_out">
                     traf_going_to_dsl
                 </rule>
             </masq>
         </nat>
     </firewall>