IPTables and different types of NAT

IPTables and different types of NAT

[Pedro Gonçalves]

Hi

I want to know if it is possible to use IPTables to implement
-Full Cone NAT
-Restricted Cone NAT
-Port Restricted Cone NAT
-Symmetric NAT

If  so, where can I find information about how to implement each type of
NAT?

Regards
Pedro

Re: IPTables and different types of NAT

[Grant Taylor]

Pedro Gonçalves wrote:
> I want to know if it is possible to use IPTables to implement
> -Full Cone NAT
> -Restricted Cone NAT
> -Port Restricted Cone NAT
> -Symmetric NAT

I see no reason why it would not be possible.  However, such 
distinctions are usually not made.  The ""default (if you will) NAT that 
is used on most SOHO Linux routers would be considered "Restricted Cone 
NAT" in such as external hosts can not connect to internal hosts unless 
the internal host has contacted the external host first.

"Full Cone Nat" could easily be implemented with inbound redirection to 
the internal system.

"Port Restricted Cone NAT" is nothing more than "Restricted Cone NAT" 
with port filtering.  This is what is usually done if you have a server 
behind a NATing router / firewall.  In this case, you only port forward 
the ports that you need.

I'm not sure if there is inherent support for "Symmetric NAT" or not. 
I'm sure that support could be added for this if it does not exist.

> If  so, where can I find information about how to implement each type of
> NAT?

I just did a quick Google for what the various types of NAT mean and ran 
across this:  http://en.wikipedia.org/wiki/Network_address_translation

As far as information on how to do it, all but "Symmetric NAT" can be 
very simply done with basic IPTables SOHO style NATing.



Grant. . . .

Re: IPTables and different types of NAT

[Pascal Hambourg]

Hello,

Grant Taylor a écrit :
> Pedro Gonçalves wrote:
> 
>> I want to know if it is possible to use IPTables to implement
>> -Full Cone NAT
>> -Restricted Cone NAT
>> -Port Restricted Cone NAT
>> -Symmetric NAT
> 
> I see no reason why it would not be possible.

The reason is Netfilter/iptables performs UDP NAT on a per-connection 
basis (connection = source address, source port, destination address, 
destination port).

> "Full Cone Nat" could easily be implemented with inbound redirection to 
> the internal system.

"Full cone NAT" can be implemented with 1-to-1 bidirectional NAT using 
SNAT+DNAT or NETMAP.

> "Port Restricted Cone NAT" is nothing more than "Restricted Cone NAT" 
> with port filtering.  This is what is usually done if you have a server 
> behind a NATing router / firewall.  In this case, you only port forward 
> the ports that you need.

No. Please read more carefully the definitions of "restricted cone NAT" 
and "port restricted cone NAT". Neither can be implemented with iptables 
because they do not fit in the per-connection model.

> I'm not sure if there is inherent support for "Symmetric NAT" or not. 

"Symmetric NAT" works on a per-connection basis and is the NAT form that 
is the easiest to implement with iptables using SNAT or MASQUERADE.

Re: IPTables and different types of NAT

[Pedro Gonçalves]

Pascal Hambourg wrote:
>> "Full Cone Nat" could easily be implemented with inbound redirection 
>> to the internal system.
>
> "Full cone NAT" can be implemented with 1-to-1 bidirectional NAT using 
> SNAT+DNAT or NETMAP.
>
>> "Port Restricted Cone NAT" is nothing more than "Restricted Cone NAT" 
>> with port filtering.  This is what is usually done if you have a 
>> server behind a NATing router / firewall.  In this case, you only 
>> port forward the ports that you need.
>
> No. Please read more carefully the definitions of "restricted cone 
> NAT" and "port restricted cone NAT". Neither can be implemented with 
> iptables because they do not fit in the per-connection model.
>
>> I'm not sure if there is inherent support for "Symmetric NAT" or not. 
>
> "Symmetric NAT" works on a per-connection basis and is the NAT form 
> that is the easiest to implement with iptables using SNAT or MASQUERADE.

This is the main reason why I am asking: some people say it is possible 
to implement all this types of NAT, some say it's not.

Pascal, can you tell me where can I find information regarding the 
implementation of "Full Cone NAT" and "Symmetric NAT" using IPTables?
All I can find is discussions about whether it is possible or not to 
implement this.

Thanks a lot
Pedro

Re: IPTables and different types of NAT

[Grant Taylor]

Pascal Hambourg wrote:
> No. Please read more carefully the definitions of "restricted cone NAT" 
> and "port restricted cone NAT". Neither can be implemented with iptables 
> because they do not fit in the per-connection model.

"""With restricted cone NAT, all requests from the same internal IP 
address and port are mapped to the same external IP address and port. 
Unlike a full cone NAT, an external host can send a packet to the 
internal host only if the internal host had previously sent a packet to 
it."""

"""Port restricted cone NAT or symmetric NAT is like a restricted cone 
NAT, but the restriction includes port numbers. Specifically, an 
external host can send a packet to a particular port on the internal 
host only if the internal host had previously sent a packet from that 
port to the external host."""

The only other thing that comes to mind is that IPTables by its self 
does not by default filter based on connection(s) and / or state. 
However, there are match extensions that can be used to augment a basic 
IPTables rule to do just that.  I.e.  CONNMARK in conjunction with MARK.

> "Symmetric NAT" works on a per-connection basis and is the NAT form that 
> is the easiest to implement with iptables using SNAT or MASQUERADE.

I understood Symetric NAT to be a form of "one to many" or "many to 
many" NATing.  The key part being the "... to many" in where multiple 
external IPs would be used.  I know that it is possible (though I have 
not done it) to specify a range to SNAT traffic with IPTables to a range 
of IP addresses.  I was not aware that MASQUERADE would do the same 
thing.  I was under the impression that MASQUERADE used the single IP on 
an interface as the IP to SNAT traffic to.



Grant. . . .

Fwd: IPTables and different types of NAT

[Pedro Gonçalves]

I still don't have a clear answer whether it is possible or not to 
implement all types of NAT.

So, has anyone implemented *any* kind of NAT?
If so, how have you done?

Best Regards
Pedro


---------- Forwarded message ----------
From: *Grant Taylor* <gtaylor@riverviewtech.net 
<mailto:gtaylor@riverviewtech.net>>
Date: Feb 7, 2007 7:01 PM
Subject: Re: IPTables and different types of NAT
To: Mail List - Netfilter <netfilter@lists.netfilter.org 
<mailto:netfilter@lists.netfilter.org>>

Pascal Hambourg wrote:
 > No. Please read more carefully the definitions of "restricted cone NAT"
 > and "port restricted cone NAT". Neither can be implemented with iptables
 > because they do not fit in the per-connection model.

"""With restricted cone NAT, all requests from the same internal IP
address and port are mapped to the same external IP address and port.
Unlike a full cone NAT, an external host can send a packet to the
internal host only if the internal host had previously sent a packet to
it."""

"""Port restricted cone NAT or symmetric NAT is like a restricted cone
NAT, but the restriction includes port numbers. Specifically, an
external host can send a packet to a particular port on the internal
host only if the internal host had previously sent a packet from that
port to the external host."""

The only other thing that comes to mind is that IPTables by its self
does not by default filter based on connection(s) and / or state.
However, there are match extensions that can be used to augment a basic
IPTables rule to do just that.  I.e.  CONNMARK in conjunction with MARK.

 > "Symmetric NAT" works on a per-connection basis and is the NAT form that
 > is the easiest to implement with iptables using SNAT or MASQUERADE.

I understood Symetric NAT to be a form of "one to many" or "many to
many" NATing.  The key part being the "... to many" in where multiple
external IPs would be used.  I know that it is possible (though I have
not done it) to specify a range to SNAT traffic with IPTables to a range
of IP addresses.  I was not aware that MASQUERADE would do the same
thing.  I was under the impression that MASQUERADE used the single IP on
an interface as the IP to SNAT traffic to.



Grant. . . .

Re: Fwd: IPTables and different types of NAT

[John A. Sullivan III]

When we started automating the creation of NAT rules in the ISCS open
source network security management framework
(http://iscs.sourceforge.net), we were quickly amazed at how complicated
it is once one steps away from the most basic forms.

Ultimately, we did automate the creation of SNAT, DNAT and NETMAP rules
for one-to-one, many-to-one, one-to-many, some-to-many, many-to-some,
overlapping and nested NAT using something we called the "sliding
marble" algorithm.

We did separate access control from NAT so that we could preserve the
highly granular and modular access control rules created by ISCS and
simply integrate it with NAT.  It was a daunting task that set us back
three months but it all works.

The algorithms and logic are all in the development docs in the ISCS CVS
or, if you just want the end result, that part of ISCS is fully
functional and ready for at least beta use.

So, yes, we have done some very complicated NAT setups but have also
separated access control from NAT - John

On Thu, 2007-02-08 at 14:47 +0000, Pedro Gonçalves wrote:
> I still don't have a clear answer whether it is possible or not to 
> implement all types of NAT.
> 
> So, has anyone implemented *any* kind of NAT?
> If so, how have you done?
> 
> Best Regards
> Pedro
> 
> 
> ---------- Forwarded message ----------
> From: *Grant Taylor* <gtaylor@riverviewtech.net 
> <mailto:gtaylor@riverviewtech.net>>
> Date: Feb 7, 2007 7:01 PM
> Subject: Re: IPTables and different types of NAT
> To: Mail List - Netfilter <netfilter@lists.netfilter.org 
> <mailto:netfilter@lists.netfilter.org>>
> 
> Pascal Hambourg wrote:
>  > No. Please read more carefully the definitions of "restricted cone NAT"
>  > and "port restricted cone NAT". Neither can be implemented with iptables
>  > because they do not fit in the per-connection model.
> 
> """With restricted cone NAT, all requests from the same internal IP
> address and port are mapped to the same external IP address and port.
> Unlike a full cone NAT, an external host can send a packet to the
> internal host only if the internal host had previously sent a packet to
> it."""
> 
> """Port restricted cone NAT or symmetric NAT is like a restricted cone
> NAT, but the restriction includes port numbers. Specifically, an
> external host can send a packet to a particular port on the internal
> host only if the internal host had previously sent a packet from that
> port to the external host."""
> 
> The only other thing that comes to mind is that IPTables by its self
> does not by default filter based on connection(s) and / or state.
> However, there are match extensions that can be used to augment a basic
> IPTables rule to do just that.  I.e.  CONNMARK in conjunction with MARK.
> 
>  > "Symmetric NAT" works on a per-connection basis and is the NAT form that
>  > is the easiest to implement with iptables using SNAT or MASQUERADE.
> 
> I understood Symetric NAT to be a form of "one to many" or "many to
> many" NATing.  The key part being the "... to many" in where multiple
> external IPs would be used.  I know that it is possible (though I have
> not done it) to specify a range to SNAT traffic with IPTables to a range
> of IP addresses.  I was not aware that MASQUERADE would do the same
> thing.  I was under the impression that MASQUERADE used the single IP on
> an interface as the IP to SNAT traffic to.
> 
> 
> 
> Grant. . . .
> 

-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

Re: IPTables and different types of NAT

[Pedro Gonçalves]

James Shewey wrote:
> IPtables is capable of doing both types of nat listed on wikipedia
> using snat, dnat and masqueradeing. I implemented both at one point or
> another.
OK, but did you did it by yourself or did you get some information from 
some resource?
I think that someone must already implemented the types of NAT I need:
-Full Cone NAT
-Restricted Cone NAT
-Port Restricted Cone NAT
-Symmetric NAT

I just don't want to re-invent the wheel, that's why I'm asking if 
somebody is willing to share IPTables rules which implement the kinds of 
NAT mentioned above

Best regards
Pedro