# How to use IpTable- for implementing different types of NAT

## RaMs39

Hi 

If anybody worked on Iptables,please help me in implementing each type of NAT 

-Full Cone NAT 

-Restricted Cone NAT 

-Port Restricted Cone NAT 

-Symmetric NAT 

using IPTables. 

Expalnation:

• Full Cone: A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address. 

• Restricted Cone: A restricted cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X. 

• Port Restricted Cone: A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P. 

• Symmetric: A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host. 

On the netfilter mailinglist, Pedro Gonçalves suggested the following: 

192.168.2.170 is  "public" address and 10.0.0.1 is  "private" address

/-"Full Cone NAT", with the following rules:/

 *Quote:*   

> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170
> 
> iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 10.0.0.1

 /-"Port Restricted Cone NAT", with just a single rule:/

 *Quote:*   

> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170

 

Please help me in implementing other NAT types.

Thanks in advance, 

RaMs

----------

## erik258

I think the wikipedia page makes those distinctions a little clearer: 

http://en.wikipedia.org/wiki/Network_address_translation#Types_of_NAT

I will be working on these definitions, which I take to be equivalent to yours.  

I disagree with Pedro Gonçalves's rules.  In the Full Cone NAT rules he provides, he doesn't match ports, and so it seems as though all traffic coming in on eth0 would be forwarded through to 10.0.0.1 and all traffic leaving eth0 would be SNAT sourced from 192.168.2.170, regardless of port.  The specifications specifically mention a particular port.  

I also expanded on Pedro Gonçalves's naming convention by adding interface names and host names: 

Public, 192.168.2.170, $EXTIF, router.network

Private, 10.0.0.1, $INTIF, inner.network

Port is $P in all cases (although it wouldn't have to be).  

The way I comprehend the question, a port number $P is given and must be a part of the rules.   

I don't think these rules are perfect; I'm the least sure about the restricted cones.  Nevertheless I think it will move you in the right direction.  

Full cone NAT

this covers outgoing traffic which should be rewritten to appear to come from router.network:$P.  1 ea. for UDP, TCP

```
iptables -t nat POSTROUTING -o $EXTIF -p tcp --sport $P -j SNAT --to-source 192.168.2.170

iptables -t nat POSTROUTING -o $EXTIF  -p udp --sport $P -j SNAT --to-source 92.168.2.170
```

now we need the reverse direction, incoming traffic on $P is forwarded to 10.0.0.1

```
iptables -t nat PREROUTING -i $EXTIF -p tcp --dport $P -j DNAT --to-destination 10.0.0.1

iptables -t nat PREROUTING -i $EXTIF -p udp --dport $P -j DNAT --to-destination 10.0.0.1
```

[Address] Restricted Cone Nat

Here we reject incoming packets that aren't already established.  First we need the rules above.  Then we need an INPUT rule that will match incoming connections on $EXTIF:$P 

and accept only those which are connected already.  Thus the connection must be instigated by inner.network. 

```

# previous rules 

iptables -t nat POSTROUTING -o $EXTIF -p tcp --sport $P -j SNAT --to-source 192.168.2.170

iptables -t nat POSTROUTING -o $EXTIF  -p udp --sport $P -j SNAT --to-source 92.168.2.170

iptables -t nat PREROUTING -i $EXTIF -p tcp --dport $P -j DNAT --to-destination 10.0.0.1

iptables -t nat PREROUTING -i $EXTIF -p udp --dport $P -j DNAT --to-destination 10.0.0.1

# FILTER rules to drop, rather than forward, new connections

# we accept already established connections (These are only necessary if default policy is not ACCEPT)

iptables -A INPUT -i $EXTIF -p tcp --dport $P -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i $EXTIF -p udp --dport $P -m state --state ESTABLISHED,RELATED -j ACCEPT

# now rules to drop the packets otherwise (only necessary if default policy is not DROP)

iptables -A INPUT -i $EXTIF -p tcp --dport $P -m state --state NEW -j DROP

iptables -A INPUT -i $EXTIF -p udp --dport $P -m state --state NEW -j DROP

```

Port Restricted Cone Nat

This is the same as the above, except we also check the source port on the INPUT chain.

```

# previous rules 

iptables -t nat POSTROUTING -o $EXTIF -p tcp --sport $P -j SNAT --to-source 192.168.2.170

iptables -t nat POSTROUTING -o $EXTIF  -p udp --sport $P -j SNAT --to-source 92.168.2.170

iptables -t nat PREROUTING -i $EXTIF -p tcp --dport $P -j DNAT --to-destination 10.0.0.1

iptables -t nat PREROUTING -i $EXTIF -p udp --dport $P -j DNAT --to-destination 10.0.0.1

# FILTER rules to drop, rather than forward, new connections

# we accept already established connections (These are only necessary if default policy is not ACCEPT)

iptables -A INPUT -i $EXTIF -p tcp --sport $P --dport $P -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i $EXTIF -p udp --sport $P --dport $P -m state --state ESTABLISHED,RELATED -j ACCEPT

# now rules to drop the packets otherwise (only necessary if default policy is not DROP)

iptables -A INPUT -i $EXTIF -p tcp --dport $P -m state --state NEW -j DROP

iptables -A INPUT -i $EXTIF -p udp --dport $P -m state --state NEW -j DROP

```

Symmetric NAT

It seems that this could be called 'Full Nat' or 'Masquerading'.  New connections are never forwarded through router.network to inner.network, but new connections are dynamically mapped to ports on $EXTIF.  This is pretty complicated, but the iptables rule is very easy. 

```

# no other rules are required for this.  

iptables -t nat -I POSTROUTING -s 10.0.0.1 -o $EXTIF  -j MASQUERADE

```

----------

## RaMs39

Thank u so much erik.   :Smile: 

The wikipedia page was very helpful.I will be trying these NAT scenarios with my set-up.

Thanks,

RaMs

----------

## erik258

Hey, if this is for school, I would certainly appreciate knowing how far off I was.

----------

## maadi77

erik,

The assumption you've made that "given the port#" may not be the case all the time. RFC 4787 doesnt mention anything about port# given apriori. I have been wondering how can the full cone implementation be done with just using the iptables/netfilter and no port# given.

Went through the latest kernel release 2.6.34 (netfilter code), and I don't see any of the cone implementations done. Even nefilter.org is not talking about any exisiting extensions available for iptable (some thing on the lines of --mode: fullcone/restricted/portrestricted) :--(

Have you heard of any netfilter kernel patches (with iptables extension) available to support the NAT variations? Highly appreciate your suggestions. Thanks

/Mahadeva

----------

