Monday 7 March 2016

Setting up PAT with IPTables on Debian

For this tutorial I will outline two common PAT configurations - the first one is where we have a host with a single NIC and will forward traffic from a specific / it's own local subnet:

We should firstly ensure IP forwarding is turned on in the kernel:

echo 1 > /proc/sys/net/ipv4/ip_forward

Edit the sysctl.conf file:

sudo vi /etc/sysctl.conf

and add:

net.ipv4.ip_forward = 1

For security we should also disable ICMP redirects by setting:

net.ipv4.conf.eth0.send_redirects = 0

and then run the following to apply the changes:

sudo sysctl -p /etc/sysctl.conf

We should proceed by setting up masqerrading and NAT with iptables:

iptables -t nat -A POSTROUTING -o eth0 -s 172.36.0.0/16 -j MASQUERADE

* The above command appends a new rule to the POSTROUTING chain of the NAT table that allows agress packets on eth0 that match the source of 172.36.0.0/16 to 'masquerade' (take the IP address of the router's interface).

We can review our rules with:

sudo iptables -vL -t nat

We should then ensure our rules persist a reboot by issuing:

iptables-save > /etc/iptables.up.rules

The second scenerio is where we have a host with two NICs - one of which hosts an internal client range (10.0.0.0/24) and another which will act as the outside network (60.70.80.90/28) - we would like all egress traffic from a specific internal subnet to be NAT'd out from the outside interface address of 60.70.80.91.

iptables -t nat -A POSTROUTING -o eth0 -s 172.36.0.0/16 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -s 172.36.0.0/16 -o eth0 -j ACCEPT

* Where eth0 is on our EXTERNAL subnet and eth1 is on our INTERNAL network. *

0 comments:

Post a Comment