NAT, Dynamic NAT, NAT Overloading/Masquerade with IPTables

If you have had experience with NATs via Cisco Routers or read about them in your CCNA studies, there are 3 Network Address Translation(NAT) types. Technically, two, see here, plus a third special case.

  • Static NAT, one-to-one mapping
  • Dynamic NAT, pool-to-pool mapping
  • Dynamic NAT with PAT Overload, many-to-one mapping

So as you can see the two types are static NAT and Dynamic NAT, with the special case of Dynamic NAT with PAT overload.

NAT

NAT, also know as “static NAT”,  is a one-to-one mapping of an inside IP address to outside IP address. For each real outside IP you address have, you also have to have an inside IP mapped to it. This can be useful to hide a inside entities true identify, and also put it behind a firewall rather than directly exposed to the outside networks. Keeping in mind the example below exposes all ports and protocols to this inside address. You can use further filters on each statement, such as specifiying ACCEPT’d ports, etc.

iptables example:
eth0 = outside network
eth1 = inside network

Dynamic NAT

Dynamic NAT, or NAT pool, is a pool-to-pool network translation. You have a pool of inside IP addresses and a pool of outside IP addresses to dynamical translate to. Each dynamic NAT is selects an outside IP address to use when connecting to outside networks, this 1:1 mapping persists as long as the connection takes place. This is common for DMZ networks where there is a set amount of outside IP addresses that need to be mapped to  inside IP addresses.

iptables example:
eth0 = outside network
eth1 = inside network

Or more finite.

NOTICE: outside IP address range has to be within the same network. Also you can split up the ranges by using the –to parameter.

Dynamic NAT with PAT Overload

Dynamic NAT with PAT Overload, also known as IP Masquerading, is a Dynamic Network Address Translation with Port Address Translation Overload. This is a many-to-one NAT type and works by using a single outside IP address for many inside IP addresses. Many inside IP addresses share this outside IP address, by borrowing source ports from the outside IP. This effectively is how the NAT keeps track of the outside-to-inside and inside-to-outside translations. Dynamic NAT with PAT Overload is limited to the amount of source ports not in use, as the PAT piece utilizes unused source ports on the single outside address to create the inside mapping. Exceeding the number of ports available is referred to as port exhaustion. Therefore, if you foresee exceeding 65000+ connections, you will need to be aware of this limitation and assign more outside IP address to accommodate.

iptables example:
eth0 = outside network
eth1 = inside network

Or if you have an outside IP address that does not change use SNAT for the entire outbound interface. I’ve read some articles stating that MASQUERADE is CPU intensive, so use SNAT when you possible.
NOTICE: Masquerade specifies an interface, SNAT specifies an IP.

iptables example:
eth0 = outside network
eth1 = inside network

You could also specfiy which inside networks are allowed to SNAT using the outside IP address.

Split them up based on inside IP address information. For example, let’s say you have a 192.168.0.0/24 for Users and a 192.168.1.0/24 for Servers. Let’s also assume you have at least two outside IP addresses. You can do the following to not have IP’s overlap from different networks

Keeping Track of Those Connections

Now you may be thinking how can I see these mappings that the iptable NAT’ing is creating. The Netfilter community has a nice little application to display the current NAT table conntrack can be used to display real time NATing, simlar to Cisco’s show ip nat translations command in the IOS,and it’s available in Ubuntu’s package repository.

Install it:

List Connection Table:

Show Connections:

You will see [NEW],[UPDATE],[ASSURED],[DESTROY].
[NEW] = New NAT traffic flow
[UPDATE] = Active NAT traffic flows
[ASSURED] = Firewall sees NAT traffic in both directions for pair
[DESTROY] = Destroys NAT mapping

You can also filter out connections, see here for parameters.

Sources:

  1. Netfliter NAT Documentation
  2. Linux Home Networking
  3. Conntrack
  4. iptables wikipedia

There are 8 comments left Go To Comment

  1. Raiden /

    Thanks for this article. I knew only Cisco based NAT and I could not understand iptables terminology but now it’s clear for me.

  2. Raiden /

    I think, that it should be target POSTROUTING instead of PREROUTING in the static nat rule “iptables -t nat -A PREROUTING -d {inside_address} -j SNAT –to-destination {outside_address}”.

    1. thejimmahknows / Post Author

      Thanks Raiden, I updated the post.

      Cheers!

  3. Zorz /

    Nice article!

  4. ravi kumar /

    hi dude this article is nice. but am facing problem with many to many nat.

    iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT –to 192.168.3.0-192.168.3.255

    am having 192.168.2.0/24 network that has to be translated to one of the ipaddress of 192.168.3.0/24. by this am not getting end to end communication

    1. thejimmahknows / Post Author

      Have you tried specifying the output interface with -o eth0 or whatever your interface label is?

  5. Hammad /

    Hi,
    I have my outside interface ppp0 with inet address 39.34.145.80 P-t-P 10.0.235.89
    and i have my inside eth0 with 192.168.1.20. i want to access the server connected at etho from outside. Will you pls help me out with NAT on linux in this case

    1. Jim / Post Author

      Hi Hammad, since you have a inside eth0 interface along with a ppp0 on two separate networks, you will need a deivce to perform routing. Is this box acting as a masquerad device? Meaning do you PAT the ppp0 external address?

Leave a Reply