NAD710 - Introduction to Networks Using Linux  

Network Address Translation

May 28, 2003Professor Tom Mavroidis

Introduction

IP Internet has had two most significant problems:

• IP address depletion

• Scaling in routing

• CIDR (Classless Inter Domain Routing )

The first short-term solution was:

Two types of solutions proposed: short-term and long-term

The long-term solutions consist of various proposals for new Internet protocols with larger addresses (IPv6)

When CIDR failed to further maintain the IP internet structure,

there came another proposal : N A T

NAT is not a very far reaching or long term solution

But at least it is very fast, provides extra time until better solutions are designed and almost independent from the outer networks.

Proposals

When is a NAT Solution Required ?

•If you have an intranet with non-routable addresses.

•You require a very limited number of IP addresses for inbound connectivity or have a limited number of globally unique IP addresses from your ISP.

•You want the addresses within a stub domain to be used by any other stub domains.

•You prefer not to use proxy servers but would rather have a more general address domain.

•do not want to pay more to your ISP just for outbound connectivity

NAT is translation of either a subset or all of the IP addresses in a sub domain to globally unique address(es).

From an operational point of view, it is a function imposed on the router. That is a router on the gateway border to be configured as a Network Address Translator.

What is NAT?

•Static Address Translation:

•m:n translation, m,n>=1 and m=n

•Dynamic Address Translation:

•m:n translation, m>=1 and m>=n

•IP Masquerading:

m:n translation, m>=1 and n=1

Where:

m=number of IP’s to be translated

n=number of IP’s available for translation

Three Main Implementations

RFC 1631

RFC 2694

•Basic definitions

•Address spaces

•Routing across NAT

•Header and checksum manipulations

•DNS Extensions to NAT

•Private networks with/without DNS servers

•Incoming and outgoing name lookup queries

The RFC’s are as follows

IP chains implementation

•Three permanent chains: input – forward – output.

•Custom chains can be added.

•The order of chains is important.

•Basic communication rules and connectivity must be preserved (ICMP group of messages are vital)

•Special care must be taken for protocols using more than one port (ftp, irc, realaudio etc..)

•Logging must be limited and maintained to prevent overflows

•Originated in the 2.1.102. to 2.2.x kernel

IP chains flow of events:

Local processes

CRC

INPUT chain

Inbound packetOK

Malformed?

garbageyes

error

Deny-reject

Accept packetRouting algorithm

Local destination

Outbound packetMalformed?

forwarded packet

no

no FORWARD chain

Deny-reject

yes

Malformed?yes

Outbound packet

no

OUTPUT chain

Deny-rejectOutbound packet

Enable IP forwarding for the kernel

Execute:

echo “1” > /proc/sys/net/ipv4/ip_forward

Or make it permanent ( persistent between boots ) with assigning the variable

IP_FORWARD = yes

in /etc/sysconfig/sysctl file

This will ensure basic router functionality

Use /sbin/ipchains-save > afilename to save the rules

Use /sbin/ipchains-restore < afilename to restore the rules

To get this thing going

IP chains syntax

ipchains –[flags] [input | outout | forward | custom_chain] [options] [action]

ipchains –M [-L | -S] [options]

A very simple example with IP Masquerading:

RO

UT

ER

WIT

H N

AT

10.1.1.1

eth1

202.7.1.19

eth0

InternetInternal net

10.0.0.0

IP tables with Netfilter

•Built into kernel

•Three tables: filter - nat – mangle

•Eight chains for three tables:

filter / INPUT , filter / FORWARD , filter / OUTPUT

nat / PREROUTING , nat / OUTPUT , nat / POSTROUTING

mangle / PREROUTING , mangle / OUTPUT

•Connection tracking

•Higher level abstraction and built-in functionality for N A T.

•Kernel 2.4.x or higher

•Three built-in chains: INPUT – FORWARD - OUTPUT

Filter table:

Local processes

Routing algorithm

FORWARD chain

OUTPUT chain

INPUT chain

Inbound packet Outbound

packet

INBOUND PACKET FLOW

INBOUND PACKET FLOW FROM A LOCAL PROCESS

•Three built-in chains:

•PREROUTING – OUTPUT -POSTROUTING

nat table:

Local processes

Routing algorithm

POSTROUTING chain

OUTPUT chain

PREROUTING chainInbound

packetOutbound packet

INBOUND PACKET FLOW

INBOUND PACKET FLOW FROM A LOCAL PROCESS

•Two built-in chains: PREROUTING – OUTPUT

mangle table:

Local processes

Routing algorithm

OUTPUT chain

PREROUTING chainInbound

packetOutbound packet

INBOUND PACKET FLOW

INBOUND PACKET FLOW FROM A LOCAL PROCESS

IP tables syntax

iptables –[flags] [chain] [options [extentions] ] [action]

Syntax and examples:

A very simple example with Static IP Translation:

RO

UT

ER

WIT

H N

AT

10.1.1.1

eth1

202.7.1.19

eth0

InternetInternal net

10.0.0.0/8

www ftp

10.1.1.4 10.1.1.5

192.168.0.1 192.168.0.14

192.168.1.15

192.168.0

192.168.1

192.168.1.13

192.168.0.16

192.168.1.16

RedHat 6.2

RedHat 6.2

ROUTER running SuSE 8.0

Windows 98

Windows 98

10 mb/s repeater

100 mb/s switch

192.168.0.1192.168.0.14

192.168.1.15

ROUTER with NAT running SuSE 8.0

192.168.0

192.168.1

192.168.1.13

192.168.0.16

192.168.0.15

192.168.0.13

192.168.1.16

internet

Windows 98 with NAT

ppp

RedHat 6.2

RedHat 6.2 Windows 98

100 mb/s switch

10 mb/s repeater

Why – Why not?

•Good short term solution

•Can be installed incrementally – a few changes needed

•No special infrastructure needed

•Economical solution

•Unexpected-unstable traffic load, bandwidth constraints.

•The more the addresses the more there is a probability of mis-addressing.

• Does not fit with certain applications.

•Identity of hosts screened (may be a plus or a minus)

•DNS incompatibility issues

Bibliography:

• Presentation Submission by Haulk Madenciaglu

• Computer Bits August 1997 Vol 7 No.8

•Network Address Translation by Ted Mittelstaedt

•RFC 1631 by K. Egevang and P.Francis

•RFC 2694 by P. Akkiraju and A. Heffernan

•IP NAT by Michael Hasenstein 1997

•http://www.suse.de/~mha/HyperNews/get/linux-ip-nat.html

•Linux TCP/IP Network Administration by S. Mann 2002 PHI