NAD710 - Introduction to Networks Using Linux   Network Address Translation May 28, 2003 Professor Tom Mavroidis
Introduction IP Internet has had two most significant problems: <ul><li>IP address depletion </li></ul><ul><li>Scaling in...
The long-term solutions consist of various proposals for new Internet protocols with larger addresses (IPv6) When CIDR fai...
When is a NAT Solution Required ? <ul><li>If you have an intranet with non-routable addresses. </li></ul><ul><li>You requi...
NAT is translation of either a subset or all of the IP addresses in a sub domain to globally unique address(es). From an o...
<ul><li>Static Address Translation: </li></ul><ul><li>m:n translation, m,n>=1 and m=n </li></ul><ul><li>Dynamic Address Tr...
RFC 1631 RFC 2694 <ul><li>Basic definitions </li></ul><ul><li>Address spaces </li></ul><ul><li>Routing across NAT </li></...
IP chains implementation <ul><li>Three permanent chains: input – forward – output. </li></ul><ul><li>Custom chains can be ...
IP chains flow of events: Local processes CRC INPUT chain Inbound packet OK Malformed? garbage yes error Deny-reject Acce...
Enable IP forwarding for the kernel Execute: echo “1” > /proc/sys/net/ipv4/ip_forward Or make it permanent ( persistent b...
IP chains syntax ipchains –[flags] [input | outout | forward | custom_chain] [options] [action] ipchains –M [-L | -S] [opt...
IP tables with Netfilter <ul><li>Built into kernel </li></ul><ul><li>Three tables: filter - nat – mangle </li></ul><ul><li...
<ul><li>Three built-in chains: INPUT – FORWARD - OUTPUT </li></ul>Filter table: Local processes Routing algorithm FORWA...
<ul><li>Three built-in chains: </li></ul><ul><li>PREROUTING – OUTPUT -POSTROUTING </li></ul>nat table: Local processes...
<ul><li>Two built-in chains: PREROUTING – OUTPUT </li></ul>mangle table: Local processes Routing algorithm OUTPUT chain ...
IP tables syntax iptables –[flags] [chain] [options [extentions] ] [action] Syntax and examples: A very simple example wit...
192.168.0.1 192.168.0.14 192.168.1.15 192.168.0 192.168.1 192.168.1.13 192.168.0.16 192.168.1.16 RedHat 6.2 RedHat 6.2 ROU...
192.168.0.1 192.168.0.14 192.168.1.15 ROUTER with NAT running SuSE 8.0 192.168.0 192.168.1 192.168.1.13 192.168.0.16 192....
Why – Why not? <ul><li>Good short term solution </li></ul><ul><li>Can be installed incrementally – a few changes needed </...
Bibliography: <ul><li>Presentation Submission by Haulk Madenciaglu </li></ul><ul><li>Computer Bits August 1997 Vol 7 No.8 ...
of 20

Nad710 Network Address Translation

Network Address Translation
Published on: Mar 3, 2016
Published in: Technology      
Source: www.slideshare.net


Transcripts - Nad710 Network Address Translation

  • 1. NAD710 - Introduction to Networks Using Linux   Network Address Translation May 28, 2003 Professor Tom Mavroidis
  • 2. Introduction IP Internet has had two most significant problems: <ul><li>IP address depletion </li></ul><ul><li>Scaling in routing </li></ul><ul><li>CIDR (Classless Inter Domain Routing ) </li></ul>The first short-term solution was: Two types of solutions proposed: short-term and long-term
  • 3. The long-term solutions consist of various proposals for new Internet protocols with larger addresses (IPv6) When CIDR failed to further maintain the IP internet structure, there came another proposal : N A T NAT is not a very far reaching or long term solution But at least it is very fast, provides extra time until better solutions are designed and almost independent from the outer networks. Proposals
  • 4. When is a NAT Solution Required ? <ul><li>If you have an intranet with non-routable addresses. </li></ul><ul><li>You require a very limited number of IP addresses for inbound connectivity or have a limited number of globally unique IP addresses from your ISP. </li></ul><ul><li>You want the addresses within a stub domain to be used by any other stub domains. </li></ul><ul><li>You prefer not to use proxy servers but would rather have a more general address domain. </li></ul><ul><li>do not want to pay more to your ISP just for outbound connectivity </li></ul>
  • 5. NAT is translation of either a subset or all of the IP addresses in a sub domain to globally unique address(es). From an operational point of view, it is a function imposed on the router. That is a router on the gateway border to be configured as a Network Address Translator. What is NAT?
  • 6. <ul><li>Static Address Translation: </li></ul><ul><li>m:n translation, m,n>=1 and m=n </li></ul><ul><li>Dynamic Address Translation: </li></ul><ul><li>m:n translation, m>=1 and m>=n </li></ul><ul><li>IP Masquerading: </li></ul><ul><li>m:n translation, m>=1 and n=1 </li></ul><ul><li>Where: </li></ul><ul><li>m=number of IP’s to be translated </li></ul><ul><li>n=number of IP’s available for translation </li></ul>Three Main Implementations
  • 7. RFC 1631 RFC 2694 <ul><li>Basic definitions </li></ul><ul><li>Address spaces </li></ul><ul><li>Routing across NAT </li></ul><ul><li>Header and checksum manipulations </li></ul><ul><li>DNS Extensions to NAT </li></ul><ul><li>Private networks with/without DNS servers </li></ul><ul><li>Incoming and outgoing name lookup queries </li></ul>The RFC’s are as follows
  • 8. IP chains implementation <ul><li>Three permanent chains: input – forward – output. </li></ul><ul><li>Custom chains can be added. </li></ul><ul><li>The order of chains is important. </li></ul><ul><li>Basic communication rules and connectivity must be preserved (ICMP group of messages are vital) </li></ul><ul><li>Special care must be taken for protocols using more than one port (ftp, irc, realaudio etc..) </li></ul><ul><li>Logging must be limited and maintained to prevent overflows </li></ul><ul><li>Originated in the 2.1.102. to 2.2.x kernel </li></ul>
  • 9. IP chains flow of events: Local processes CRC INPUT chain Inbound packet OK Malformed? garbage yes error Deny-reject Accept packet Routing algorithm Local destination Outbound packet Malformed? forwarded packet no no FORWARD chain Deny-reject yes Malformed? yes Outbound packet no OUTPUT chain Deny-reject Outbound packet
  • 10. Enable IP forwarding for the kernel Execute: echo “1” > /proc/sys/net/ipv4/ip_forward Or make it permanent ( persistent between boots ) with assigning the variable IP_FORWARD = yes in /etc/sysconfig/sysctl file This will ensure basic router functionality Use /sbin/ipchains-save > afilename to save the rules Use /sbin/ipchains-restore < afilename to restore the rules To get this thing going
  • 11. IP chains syntax ipchains –[flags] [input | outout | forward | custom_chain] [options] [action] ipchains –M [-L | -S] [options] A very simple example with IP Masquerading: ROUTER WITH NAT 10.1.1.1 eth1 202.7.1.19 eth0 Internet Internal net 10.0.0.0
  • 12. IP tables with Netfilter <ul><li>Built into kernel </li></ul><ul><li>Three tables: filter - nat – mangle </li></ul><ul><li>Eight chains for three tables: </li></ul><ul><li>filter / INPUT , filter / FORWARD , filter / OUTPUT </li></ul><ul><li>nat / PREROUTING , nat / OUTPUT , nat / POSTROUTING </li></ul><ul><li>mangle / PREROUTING , mangle / OUTPUT </li></ul><ul><li>Connection tracking </li></ul><ul><li>Higher level abstraction and built-in functionality for N A T. </li></ul><ul><li>Kernel 2.4.x or higher </li></ul>
  • 13. <ul><li>Three built-in chains: INPUT – FORWARD - OUTPUT </li></ul>Filter table: Local processes Routing algorithm FORWARD chain OUTPUT chain INPUT chain Inbound packet Outbound packet INBOUND PACKET FLOW INBOUND PACKET FLOW FROM A LOCAL PROCESS
  • 14. <ul><li>Three built-in chains: </li></ul><ul><li>PREROUTING – OUTPUT -POSTROUTING </li></ul>nat table: Local processes Routing algorithm POSTROUTING chain OUTPUT chain PREROUTING chain Inbound packet Outbound packet INBOUND PACKET FLOW INBOUND PACKET FLOW FROM A LOCAL PROCESS
  • 15. <ul><li>Two built-in chains: PREROUTING – OUTPUT </li></ul>mangle table: Local processes Routing algorithm OUTPUT chain PREROUTING chain Inbound packet Outbound packet INBOUND PACKET FLOW INBOUND PACKET FLOW FROM A LOCAL PROCESS
  • 16. IP tables syntax iptables –[flags] [chain] [options [extentions] ] [action] Syntax and examples: A very simple example with Static IP Translation: ROUTER WITH NAT 10.1.1.1 eth1 202.7.1.19 eth0 www ftp 10.1.1.4 10.1.1.5 Internet Internal net 10.0.0.0/8
  • 17. 192.168.0.1 192.168.0.14 192.168.1.15 192.168.0 192.168.1 192.168.1.13 192.168.0.16 192.168.1.16 RedHat 6.2 RedHat 6.2 ROUTER running SuSE 8.0 Windows 98 Windows 98 10 mb/s repeater 100 mb/s switch
  • 18. 192.168.0.1 192.168.0.14 192.168.1.15 ROUTER with NAT running SuSE 8.0 192.168.0 192.168.1 192.168.1.13 192.168.0.16 192.168.0.15 192.168.0.13 192.168.1.16 internet Windows 98 with NAT ppp RedHat 6.2 RedHat 6.2 Windows 98 100 mb/s switch 10 mb/s repeater
  • 19. Why – Why not? <ul><li>Good short term solution </li></ul><ul><li>Can be installed incrementally – a few changes needed </li></ul><ul><li>No special infrastructure needed </li></ul><ul><li>Economical solution </li></ul><ul><li>Unexpected-unstable traffic load, bandwidth constraints. </li></ul><ul><li>The more the addresses the more there is a probability of mis-addressing. </li></ul><ul><li>Does not fit with certain applications. </li></ul><ul><li>Identity of hosts screened (may be a plus or a minus) </li></ul><ul><li>DNS incompatibility issues </li></ul>
  • 20. Bibliography: <ul><li>Presentation Submission by Haulk Madenciaglu </li></ul><ul><li>Computer Bits August 1997 Vol 7 No.8 </li></ul><ul><li>Network Address Translation by Ted Mittelstaedt </li></ul><ul><li>RFC 1631 by K. Egevang and P.Francis </li></ul><ul><li>RFC 2694 by P. Akkiraju and A. Heffernan </li></ul><ul><li>IP NAT by Michael Hasenstein 1997 </li></ul><ul><li>http://www.suse.de/~mha/HyperNews/get/linux-ip-nat.html </li></ul><ul><li>Linux TCP/IP Network Administration by S. Mann 2002 PHI </li></ul>

Related Documents