9.3. Using NAT with Kernel 2.2

The IP Network Address Translation facility is pretty much the standardized "big brother" of the Linux IP Masquerade facility. It is specified in some detail in RFC-1631 (at your nearest RFC archive). NAT provides features that IP-Masquerade does not (which make it eminently more suitable for use in both corporate firewall router designs, and in larger scale installations).

An alpha implementation of NAT for Linux 2.0.29 kernel has been developed by Michael.Hasenstein: Michael.Hasenstein@informatik.tu-chemnitz.de. Michael's documentation and implementation are available from:

Linux IP Network Address Web Page

The much improved TCP/IP stack of Linux 2.2 kernel has NAT functionality built-in. This facility seems to render the work by Michael Hasenstein somewhat obsolete (Michael.Hasenstein@informatik.tu-chemnitz.de).

To get it to work, you need the kernel with enabled CONFIG_IP_ADVANCED_ROUTER, CONFIG_IP_MULTIPLE_TABLES (aka policy routing) and CONFIG_IP_ROUTE_NAT (aka fast NAT). And if you want to use finer grained NAT rules, you may also want to turn on firewalling (CONFIG_IP_FIREWALL) and CONFIG_IP_ROUTE_FWMARK. To actually operate these kernel features, you will need the "ip" program by Alexey Kuznyetsov from ftp://ftp.inr.ac.ru/ip-routing/.

Incoming datagrams NAT

Now, to translate addresses of incoming datagrams, the following command is used:

	   ip route add nat <ext-addr>[/<masklen>] via <int-addr>

This will make an incoming packet destined to "ext-addr" (the address visible from outside Internet) to have its destination address field rewritten to "int-addr" (the address in your internal network, behind your gateway/firewall). The packet is then routed according to the local routing table. You can translate either single host addresses or complete blocks. Examples:

  	ip route add nat 195.113.148.34 via 192.168.0.2
   	ip route add nat 195.113.148.32/27 via 192.168.0.0

First command will make internal address 192.168.0.2 accessible as 195.113.148.34. The second example shows remapping block 192.168.0.0-31 to 195.113.148.32-63. Was this section helpful? Why not Donate $2.50?