For this tutorial I will outline two common PAT configurations - the first one is where we have a host with a single NIC and will forward traffic from a specific / it's own local subnet:
We should firstly ensure IP forwarding is turned on in the kernel:
echo 1 > /proc/sys/net/ipv4/ip_forward
Edit the sysctl.conf file:
sudo vi /etc/sysctl.conf
and add:
net.ipv4.ip_forward = 1
For security we should also disable ICMP redirects by setting:
net.ipv4.conf.eth0.send_redirects = 0
and then run the following to apply the changes:
sudo sysctl -p /etc/sysctl.conf
We should proceed by setting up masqerrading and NAT with iptables:
iptables -t nat -A POSTROUTING -o eth0 -s 172.36.0.0/16 -j MASQUERADE
* The above command appends a new rule to the POSTROUTING chain of the NAT table that allows agress packets on eth0 that match the source of 172.36.0.0/16 to 'masquerade' (take the IP address of the router's interface).
We can review our rules with:
sudo iptables -vL -t nat
We should then ensure our rules persist a reboot by issuing:
iptables-save > /etc/iptables.up.rules
The second scenerio is where we have a host with two NICs - one of which hosts an internal client range (10.0.0.0/24) and another which will act as the outside network (60.70.80.90/28) - we would like all egress traffic from a specific internal subnet to be NAT'd out from the outside interface address of 60.70.80.91.
iptables -t nat -A POSTROUTING -o eth0 -s 172.36.0.0/16 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -s 172.36.0.0/16 -o eth0 -j ACCEPT
* Where eth0 is on our EXTERNAL subnet and eth1 is on our INTERNAL network. *
No comments:
Post a Comment