Below are several examples illustrating the use of NAT.
Each example consists of one or more programs or shell commands,
designed to be executed as root.
The results are seen using using Ethereal and a text editor.
Execute the commands below before beginning the tests.
make
./config.sh
The forward program used below is taken from the Raw Socket Toolkit
tutorial with one change:
the UDP source and destination port are passed on the command line.
SNAT
How do you translate a single address?
- Shell commands
-
./iptablesReset.sh
cat /proc/net/ip_conntrack
- Connection tracking table
-
File does not exist.
- Shell commands
-
iptables -t nat -A POSTROUTING -p udp -o tap2 -j SNAT --to-source 10.2.0.1
cat /proc/net/ip_conntrack
- Connection tracking table
-
Table is empty.
- Shell commands
-
./forward tap1 10.1.0.99:11111 10.2.0.99:22222
cat /proc/net/ip_conntrack
- Ethereal on tap1
-
10.1.0.99:11111 => 10.2.0.99:22222
- Ethereal on tap2
-
10.2.0.1:11111 => 10.2.0.99:22222
- Connection tracking table
-
Table entry for UDP packet: [UNREPLIED].
- Shell commands
-
./forward tap2 10.2.0.99:22222 10.2.0.1:11111
cat /proc/net/ip_conntrack
- Ethereal on tap1
-
10.1.0.99:11111 => 10.2.0.99:22222
- Ethereal on tap2
-
10.1.0.99:11111 => 10.2.0.99:22222
- Connection tracking table
-
Table entry for UDP packet.
How are addresses/ports allocated to multiple connections?
- Shell commands
-
./iptablesReset.sh
iptables -t nat -A POSTROUTING -p udp -o tap2 \
-j SNAT --to-source 10.2.0.1-10.2.0.2:33333-33334
./forward tap1 10.1.0.99:11111 10.2.0.99:22222
./forward tap1 10.1.0.99:11112 10.2.0.99:22222
./forward tap1 10.1.0.99:11113 10.2.0.99:22222
./forward tap1 10.1.0.99:11114 10.2.0.99:22222
- Ethereal on tap1
-
10.1.0.99:11111 => 10.2.0.99:22222
10.1.0.99:11112 => 10.2.0.99:22222
10.1.0.99:11113 => 10.2.0.99:22222
10.1.0.99:11114 => 10.2.0.99:22222
10.1.0.99:11111 => 10.2.0.99:22222
- Ethereal on tap2
-
10.2.0.2:33333 => 10.2.0.99:22222
10.2.0.1:33333 => 10.2.0.99:22222
10.2.0.2:33334 => 10.2.0.99:22222
10.2.0.1:33334 => 10.2.0.99:22222
What happens if there are more too many connections?
- Shell commands
-
./iptablesReset.sh
iptables -t nat -A POSTROUTING -p udp -o tap2 -j SNAT
--to-source 10.2.0.1:33333
./forward tap1 10.1.0.99:11111 10.2.0.99:22222
./forward tap1 10.1.0.99:11112 10.2.0.99:22222
- Ethereal on tap1
-
10.1.0.99:11111 => 10.2.0.99:22222
10.1.0.99:11112 => 10.2.0.99:22222
- Ethereal on tap2
-
10.2.0.1:11111 => 10.2.0.99:22222
DNAT
How do you translate a single address?
- Shell commands
-
./iptablesReset.sh
cat /proc/net/ip_conntrack
- Connection tracking table
-
File does not exist.
- Shell commands
-
iptables -t nat -A PREROUTING -p udp -i tap1 -j DNAT --to 10.2.0.99
cat /proc/net/ip_conntrack
- Connection tracking table
-
Table is empty.
- Shell commands
-
./forward tap1 10.1.0.99:11111 10.1.0.1:22222
cat /proc/net/ip_conntrack
- Ethereal on tap1
-
10.1.0.99:11111 => 10.1.0.1:22222
- Ethereal on tap2
-
10.1.0.99:11111 => 10.2.0.99:22222
- Connection tracking table
-
Table entry for UDP packet: [UNREPLIED].
- Shell commands
-
./forward tap2 10.2.0.99:22222 10.1.0.99:11111
cat /proc/net/ip_conntrack
- Ethereal on tap2
-
10.2.0.99:22222 => 10.1.0.99:11111
- Ethereal on tap1
-
10.1.0.1:11111 => 10.1.0.99:22222
- Connection tracking table
-
Table entry for UDP packet.
How are addresses/ports allocated to multiple connections?
- Shell commands
-
./iptablesReset.sh
iptables -t nat -A PREROUTING -p udp -i tap1 \
-j DNAT --to 10.2.0.98-10.2.0.99:33333-33334
./forward tap1 10.1.0.99:11111 10.1.0.1:22222
./forward tap1 10.1.0.99:11112 10.1.0.1:22222
./forward tap1 10.1.0.99:11113 10.1.0.1:22222
./forward tap1 10.1.0.99:11114 10.1.0.1:22222
- Ethereal on tap1
-
10.1.0.99:11111 => 10.1.0.1:22222
10.1.0.99:11112 => 10.1.0.1:22222
10.1.0.99:11113 => 10.1.0.1:22222
10.1.0.99:11114 => 10.1.0.1:22222
- Ethereal on tap2
-
10.1.0.99:11111 => 10.2.0.99:33333
10.1.0.99:11112 => 10.2.0.98:33333
10.1.0.99:11113 => 10.2.0.99:33334
10.1.0.99:11114 => 10.2.0.98:33334
What happens if there are more too many connections?
- Shell commands
-
./iptablesReset.sh
iptables -t nat -A PREROUTING -p udp -i tap1 -j DNAT
--to 10.2.0.99:33333-33333
./forward tap1 10.1.0.99:11111 10.1.0.1:22222
./forward tap1 10.1.0.99:11111 10.1.0.1:22223
- Ethereal on tap1
-
10.1.0.99:11111 => 10.1.0.1:22222
10.1.0.99:11111 => 10.1.0.1:22223
- Ethereal on tap2
-
10.1.0.99:11111 => 10.2.0.99:33333