Destination NAT

Destination NAT (DNAT) is a nice feature when building netfilter firewalls. It does the exact opposite of the SNAT function by translating the destination address of a network packet into another address.

Imagine in the example in Figure 24-2 that you have a mail server on your desktop machine. If you want to give access to that machine to Internet users, you can't just tell the firewall that you want everyone to access the IP 192.168.1.3 over port 25; because this is a non-routable address, Internet users would never be able to reach it. To combat this, you can tell netfilter that any traffic destined for port 25 on the public firewall address should be redirected to the machine 192.168.1.3. Any return traffic to the initiating machine will have the source address of the firewall, making the connection routable. And as far as the initiating machine is concerned, it has no idea that the machine it is actually talking to is hidden behind a firewall and is on a non-routable address.

To create the illusion, you need to add a DNAT rule to the NAT table for the Simple Mail Transport Protocol (SMTP) service.

bible:- # iptables -t nat -A PREROUTING -p tcp --dport smtp -i ethl -j DNAT -to -destination=192.168.1.3

Here, iptables has been told to work on the NAT table (-t nat) by appending to the PREROUTING chain. You have stated that any traffic that is TCP (-p tcp)-based, with a destination port of SMTP (25), and entering the firewall on eth1 should be destination NAT'd to 192.168.1.3.

In this case, all traffic for port 25 (SMTP) on the public network interface of the firewall will have its destination address changed to 192.168.1.3. The port destination of 25 will be untouched (though this could also be changed as in the section "Redirecting Traffic'' below).

When enabling DNAT, you have to insert the rules into the PREROUTING chain rr because a routing decision has to be made on the final destination of the packet. At this point in the netfilter processing in the PREROUTING chain, the final destination address has not been inserted into the packet. The routing of the packet to its final destination comes later.

As with SNAT, you still need to allow traffic destined for port 25 to 192.168.1.3 to be forwarded through the firewall.

bible:- # iptables -A FORWARD -p tcp -dport 25 -d 192.168.1.3 -i ethl -o eth0 -j ACCEPT

Here, iptables will append to the FORWARD chain, allowing through any TCP traffic that is destined for the SMTP port on 192.168.1.3 entering the firewall on ethl and leaving on eth0.

When set, all traffic destined for port 25 on the firewall public interface is successfully forwarded to 192.168.1.3.

Was this article helpful?

0 0

Post a comment