19.7. Setting Up Network Address Translation
If you have several systems in your home or office connected by a LAN and only one Internet IP address, network address translation can be used to give all those systems almost complete Internet access. NAT hides the addresses of all systems on the internal LAN behind a single Internet address, converting addresses and ports back and forth as needed. This allows all internal systems to make connections to any host on the Internet, such as web servers, DNS servers, POP3 servers, and so on. The only limitation is that internal systems cannot receive connections from other Internet hosts, which can cause some protocols (such as Internet telephony and network games) to fail.
Because of this limitation, internal systems are protected from most attacks from other hosts on the Internet, just as if you were to block all forwarded packets coming in on the external interface. NAT also makes IP address assignment easier, as there is no need to worry about running out of real Internet addresses to assign to internal hosts that do not really need them. For these reasons, it may make sense to set up NAT in your organization even it is not totally necessary from a networking point of view.
NAT works by modifying the source address and port of packets sent by internal hosts and routed through the firewall. The source address is always changed to the external IP address of the firewall system, and the source port to a randomly chosen unused port. When a reply packet comes back, its destination port is used to determine the original internal client IP address and port to which the packet should be forwarded.
To set up NAT, all you really need is a system with two network interfaces—one for the internal LAN, and one that is connected to the Internet via dialup, ISDN, ADSL, or cable modem. Once you have this, the steps to follow are:
1. | On the internal LAN, every system's Ethernet interface should be assigned an address on a private IP network such as 192.168.0.0, including the gateway system. |
2. | Set the default router on all internal systems to the LAN IP address of the gateway system. |
3. | Make sure that the gateway has IP forwarding enabled in the Network Configuration module under Routing and Gateways. See Chapter 16 for more information on how to do this. |
4. | On the main page of the Linux Firewall module on the gateway system, select Network address translation from the list next to the Showing IPtable button. Then click the button to display chains in the NAT table. |
5. | |
6. | Set the Action to take to Masquerade. |
7. | To control which ports the firewall will use for masqueraded connections, set the Source ports for masquerading option to Port range and enter starting and ending port numbers into the fields next to it. Usually just selecting Any to let the firewall use any available port will work fine. |
8. | Change the Outgoing interface condition to Equals and select the external network interface from the list next to it, such as ppp0. |
9. | Click the Save button at the bottom of the page to return to the list of chains and rules. |
10. | Click on Apply Configuration to make the new rule (and NAT) active. |
It is possible to combine NAT with other firewall rules in the Packet filtering table to block connections to the firewall host itself. You can also prepend deny rules to the Packets after routing chain to stop certain internal hosts from accessing the Internet, or limit the ports to which they can connect.
The instructions above will work on any network that has a gateway system with a single Internet IP address. However, if your gateway's address is static it is better to select Source NAT in Step 6 instead of Masquerade. When using masquerading, any connections being forwarded by the firewall will be lost if the external network interface goes down, even if it comes back up again with the same IP address. If the external interface has a dynamically assigned address, this doesn't matter as the connections would be lost anyway. But when using a static IP address, it is possible for a connection to be maintained even through a short network outage.
To use it, in Step 6 set the Action to take to Source NAT. Then set the IPs and ports for SNAT to IP range and enter your system's static external IP address into the field next to it. All other steps in the NAT setup process are the same.