Next Previous Contents

5. Controlling What To NAT

You need to create NAT rules which tell the kernel what connections to change, and how to change them. To do this, we use the very versatile iptables tool, and tell it to alter the NAT table by specifying the `-t nat' option.

The table of NAT rules contains three lists called `chains': each rule is examined in order until one matches. The three chains are called PREROUTING (for Destination NAT, as packets first come in), POSTROUTING (for Source NAT, as packets leave), and OUTPUT (for Destination NAT of locally-generated packets).

The following diagram would illustrate it quite well if I had any artistic talent:

      _____                                     _____
     /     \                                   /     \
   PREROUTING -->[Routing ]----------------->POSTROUTING----->
     \D-NAT/     [Decision]                    \S-NAT/
                     |                            ^
                     |                          __|__
                     |                         /     \
                     |                        | OUTPUT|
                     |                         \D-NAT/
                     |                            ^
                     |                            |
                     --------> Local Process ------

At each of the points above, when a packet passes we look up what connection it is associated with. If it's a new connection, we look up the corresponding chain in the NAT table to see what to do with it. The answer it gives will apply to all future packets on that connection.

5.1 Simple Selection using iptables

iptables takes a number of standard options as listed below. All the double-dash options can be abbreviated, as long as iptables can still tell them apart from the other possible options. If your kernel has iptables support as a module, you'll need to load the ip_tables.o module first: `insmod ip_tables'.

The most important option here is the table selection option, `-t'. For all NAT operations, you will want to use `-t nat' for the NAT table. The second most important option to use is `-A' to append a new rule at the end of the chain (eg. `-A POSTROUTING'), or `-I' to insert one at the beginning (eg. `-I PREROUTING').

You can specify the source (`-s' or `--source') and destination (`-d' or `--destination') of the packets you want to NAT. These options can be followed by a single IP address (eg. 192.168.1.1), a name (eg. www.kernelnotes.org), or a network address (eg. 192.168.1.0/24 or 192.168.1.0/255.255.255.0).

You can specify the incoming (`-i' or `--in-interface') or outgoing (`-o' or `--out-interface') interface to match, but which you can specify depends on which chain you are putting the rule into: at PREROUTING you can only select incoming interface, and at POSTROUTING (and OUTPUT) you can only select outgoing interface. If you use the wrong one, iptables will give an error.

5.2 Finer Points Of Selecting What Packets To Mangle

I said above that you can specify a source and destination address. If you omit the source address option, then any source address will do. If you omit the destination address option, then any destination address will do.

You can also indicate a specific protocol (`-p' or `--protocol'), such as TCP or UDP; only packets of this protocol will match the rule. The main reason for doing this is that specifying a protocol of tcp or udp then allows extra options: specifically the `--source-port' and `--destination-port' options (abbreviated as `--sport' and `--dport').

These options allow you to specify that only packets with a certain source and destination port will match the rule. This is useful for redirecting web requests (TCP port 80 or 8080) and leaving other packets alone.

These options must follow the `-p' option (which has a side-effect of loading the shared library extension for that protocol). You can use port numbers, or a name from the /etc/services file.

All the different qualities you can select a packet by are detailed in painful detail in the manual page (man iptables).


Next Previous Contents