Network Address Translation (NAT) Background Material for ...
Nad710 Network Address Translation
-
Upload
tmavroidis -
Category
Technology
-
view
666 -
download
3
description
Transcript of Nad710 Network Address Translation
NAD710 - Introduction to Networks Using Linux
Network Address Translation
May 28, 2003Professor Tom Mavroidis
Introduction
IP Internet has had two most significant problems:
• IP address depletion
• Scaling in routing
• CIDR (Classless Inter Domain Routing )
The first short-term solution was:
Two types of solutions proposed: short-term and long-term
The long-term solutions consist of various proposals for new Internet protocols with larger addresses (IPv6)
When CIDR failed to further maintain the IP internet structure,
there came another proposal : N A T
NAT is not a very far reaching or long term solution
But at least it is very fast, provides extra time until better solutions are designed and almost independent from the outer networks.
Proposals
When is a NAT Solution Required ?
•If you have an intranet with non-routable addresses.
•You require a very limited number of IP addresses for inbound connectivity or have a limited number of globally unique IP addresses from your ISP.
•You want the addresses within a stub domain to be used by any other stub domains.
•You prefer not to use proxy servers but would rather have a more general address domain.
•do not want to pay more to your ISP just for outbound connectivity
NAT is translation of either a subset or all of the IP addresses in a sub domain to globally unique address(es).
From an operational point of view, it is a function imposed on the router. That is a router on the gateway border to be configured as a Network Address Translator.
What is NAT?
•Static Address Translation:
•m:n translation, m,n>=1 and m=n
•Dynamic Address Translation:
•m:n translation, m>=1 and m>=n
•IP Masquerading:
m:n translation, m>=1 and n=1
Where:
m=number of IP’s to be translated
n=number of IP’s available for translation
Three Main Implementations
RFC 1631
RFC 2694
•Basic definitions
•Address spaces
•Routing across NAT
•Header and checksum manipulations
•DNS Extensions to NAT
•Private networks with/without DNS servers
•Incoming and outgoing name lookup queries
The RFC’s are as follows
IP chains implementation
•Three permanent chains: input – forward – output.
•Custom chains can be added.
•The order of chains is important.
•Basic communication rules and connectivity must be preserved (ICMP group of messages are vital)
•Special care must be taken for protocols using more than one port (ftp, irc, realaudio etc..)
•Logging must be limited and maintained to prevent overflows
•Originated in the 2.1.102. to 2.2.x kernel
IP chains flow of events:
Local processes
CRC
INPUT chain
Inbound packetOK
Malformed?
garbageyes
error
Deny-reject
Accept packetRouting algorithm
Local destination
Outbound packetMalformed?
forwarded packet
no
no FORWARD chain
Deny-reject
yes
Malformed?yes
Outbound packet
no
OUTPUT chain
Deny-rejectOutbound packet
Enable IP forwarding for the kernel
Execute:
echo “1” > /proc/sys/net/ipv4/ip_forward
Or make it permanent ( persistent between boots ) with assigning the variable
IP_FORWARD = yes
in /etc/sysconfig/sysctl file
This will ensure basic router functionality
Use /sbin/ipchains-save > afilename to save the rules
Use /sbin/ipchains-restore < afilename to restore the rules
To get this thing going
IP chains syntax
ipchains –[flags] [input | outout | forward | custom_chain] [options] [action]
ipchains –M [-L | -S] [options]
A very simple example with IP Masquerading:
RO
UT
ER
WIT
H N
AT
10.1.1.1
eth1
202.7.1.19
eth0
InternetInternal net
10.0.0.0
IP tables with Netfilter
•Built into kernel
•Three tables: filter - nat – mangle
•Eight chains for three tables:
filter / INPUT , filter / FORWARD , filter / OUTPUT
nat / PREROUTING , nat / OUTPUT , nat / POSTROUTING
mangle / PREROUTING , mangle / OUTPUT
•Connection tracking
•Higher level abstraction and built-in functionality for N A T.
•Kernel 2.4.x or higher
•Three built-in chains: INPUT – FORWARD - OUTPUT
Filter table:
Local processes
Routing algorithm
FORWARD chain
OUTPUT chain
INPUT chain
Inbound packet Outbound
packet
INBOUND PACKET FLOW
INBOUND PACKET FLOW FROM A LOCAL PROCESS
•Three built-in chains:
•PREROUTING – OUTPUT -POSTROUTING
nat table:
Local processes
Routing algorithm
POSTROUTING chain
OUTPUT chain
PREROUTING chainInbound
packetOutbound packet
INBOUND PACKET FLOW
INBOUND PACKET FLOW FROM A LOCAL PROCESS
•Two built-in chains: PREROUTING – OUTPUT
mangle table:
Local processes
Routing algorithm
OUTPUT chain
PREROUTING chainInbound
packetOutbound packet
INBOUND PACKET FLOW
INBOUND PACKET FLOW FROM A LOCAL PROCESS
IP tables syntax
iptables –[flags] [chain] [options [extentions] ] [action]
Syntax and examples:
A very simple example with Static IP Translation:
RO
UT
ER
WIT
H N
AT
10.1.1.1
eth1
202.7.1.19
eth0
InternetInternal net
10.0.0.0/8
www ftp
10.1.1.4 10.1.1.5
192.168.0.1 192.168.0.14
192.168.1.15
192.168.0
192.168.1
192.168.1.13
192.168.0.16
192.168.1.16
RedHat 6.2
RedHat 6.2
ROUTER running SuSE 8.0
Windows 98
Windows 98
10 mb/s repeater
100 mb/s switch
192.168.0.1192.168.0.14
192.168.1.15
ROUTER with NAT running SuSE 8.0
192.168.0
192.168.1
192.168.1.13
192.168.0.16
192.168.0.15
192.168.0.13
192.168.1.16
internet
Windows 98 with NAT
ppp
RedHat 6.2
RedHat 6.2 Windows 98
100 mb/s switch
10 mb/s repeater
Why – Why not?
•Good short term solution
•Can be installed incrementally – a few changes needed
•No special infrastructure needed
•Economical solution
•Unexpected-unstable traffic load, bandwidth constraints.
•The more the addresses the more there is a probability of mis-addressing.
• Does not fit with certain applications.
•Identity of hosts screened (may be a plus or a minus)
•DNS incompatibility issues
Bibliography:
• Presentation Submission by Haulk Madenciaglu
• Computer Bits August 1997 Vol 7 No.8
•Network Address Translation by Ted Mittelstaedt
•RFC 1631 by K. Egevang and P.Francis
•RFC 2694 by P. Akkiraju and A. Heffernan
•IP NAT by Michael Hasenstein 1997
•http://www.suse.de/~mha/HyperNews/get/linux-ip-nat.html
•Linux TCP/IP Network Administration by S. Mann 2002 PHI