You need to create NAT rules which tell the kernel what connections
to change, and how to change them. To do this, we use the very
versatile iptables
tool, and tell it to alter the NAT table by
specifying the `-t nat' option.
The table of NAT rules contains three lists called `chains': each rule is examined in order until one matches. The three chains are called PREROUTING (for Destination NAT, as packets first come in), POSTROUTING (for Source NAT, as packets leave), and OUTPUT (for Destination NAT of locally-generated packets).
The following diagram would illustrate it quite well if I had any artistic talent:
_____ _____
/ \ / \
PREROUTING -->[Routing ]----------------->POSTROUTING----->
\D-NAT/ [Decision] \S-NAT/
| ^
| __|__
| / \
| | OUTPUT|
| \D-NAT/
| ^
| |
--------> Local Process ------
At each of the points above, when a packet passes we look up what connection it is associated with. If it's a new connection, we look up the corresponding chain in the NAT table to see what to do with it. The answer it gives will apply to all future packets on that connection.
iptables
takes a number of standard options as listed
below. All the double-dash options can be abbreviated, as long as
iptables
can still tell them apart from the other possible
options. If your kernel has iptables support as a module, you'll need
to load the ip_tables.o module first: `insmod ip_tables'.
The most important option here is the table selection option, `-t'. For all NAT operations, you will want to use `-t nat' for the NAT table. The second most important option to use is `-A' to append a new rule at the end of the chain (eg. `-A POSTROUTING'), or `-I' to insert one at the beginning (eg. `-I PREROUTING').
You can specify the source (`-s' or `--source') and destination (`-d' or `--destination') of the packets you want to NAT. These options can be followed by a single IP address (eg. 192.168.1.1), a name (eg. www.kernelnotes.org), or a network address (eg. 192.168.1.0/24 or 192.168.1.0/255.255.255.0).
You can specify the incoming (`-i' or `--in-interface') or outgoing
(`-o' or `--out-interface') interface to match, but which you can
specify depends on which chain you are putting the rule into: at
PREROUTING you can only select incoming interface, and at POSTROUTING
(and OUTPUT) you can only select outgoing interface. If you use the
wrong one, iptables
will give an error.
I said above that you can specify a source and destination address. If you omit the source address option, then any source address will do. If you omit the destination address option, then any destination address will do.
You can also indicate a specific protocol (`-p' or `--protocol'), such as TCP or UDP; only packets of this protocol will match the rule. The main reason for doing this is that specifying a protocol of tcp or udp then allows extra options: specifically the `--source-port' and `--destination-port' options (abbreviated as `--sport' and `--dport').
These options allow you to specify that only packets with a certain source and destination port will match the rule. This is useful for redirecting web requests (TCP port 80 or 8080) and leaving other packets alone.
These options must follow the `-p' option (which has a side-effect of loading the shared library extension for that protocol). You can use port numbers, or a name from the /etc/services file.
All the different qualities you can select a packet by are detailed
in painful detail in the manual page (man iptables
).