# Configuring different NAT-type with iptables

## euphi2

Hi!

To test different NAT traversal solutions like STUN I need to configure a linux machine with iptables to act as NAT router.

Are there any example iptables rulesets for NAT types like "Full Cone NAT", "Restricted Cone NAT" or "port restricted NAT"?

Furthermore, basic nat rules in iptables seems to try to not change the source port on outgoing connections. This is a nice behaviour, but not the way wished to test NAT traversal in an hostile environment  :Wink:  , so is it possible to change this?

Thank you for any useful information,

Euphi

----------

## think4urs11

did you already read http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html?

----------

## euphi2

Yes, but there's no explanation how the NAT behaviour can be changed.

----------

## fleed

Full cone NAT: each internal ip gets its own external ip mapped directly, inbound packets get sent to the internal host directly. You'd setup your iptables so you have a 1 to 1 mapping, something using SNAT and DNAT specific to each internal ip address so that packets from the outside get sent directly to the internal address without changing anything.

Restricted cone NAT: 1 to 1 mapping, external packets only get sent to internal hosts if the internal host had previously sent a packet to the same external host. I don't know how to set this up with iptables, sorry!

Port restricted cone NAT: external packets get sent to internal host only if the internal host had sent a packet to the external host on the same port. Basically this is what you get most iptables setups, using SNAT or MASQUERADE

(someone please correct me if I'm wrong in any of the above!)

----------

