NAT: How To Mangle The Packets

6. Saying How To Mangle The Packets

So now we know how to select the packets we want to mangle. Tocomplete our rule, we need to tell the kernel exactly what we want itto do to the packets.

6.1 Source NAT

You want to do Source NAT; change the source address of connectionsto something different. This is done in the POSTROUTING chain, justbefore it is finally sent out; this is an important detail, since itmeans that anything else on the Linux box itself (routing, packetfiltering) will see the packet unchanged. It also means that the `-o'(outgoing interface) option can be used.

Source NAT is specified using `-j SNAT', and the `--to-source'option specifies an IP address, a range of IP addresses, and anoptional port or range of ports (for UDP and TCP protocols only).

## Change source addresses to 1.2.3.4.# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6## Change source addresses to 1.2.3.4, ports 1-1023# iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023

Masquerading

There is a specialized case of Source NAT called masquerading: itshould only be used for dynamically-assigned IP addresses, such asstandard dialups (for static IP addresses, use SNAT above).

You don't need to put in the source address explicitly withmasquerading: it will use the source address of the interface thepacket is going out from. But more importantly, if the link goesdown, the connections (which are now lost anyway) are forgotten,meaning fewer glitches when connection comes back up with a new IPaddress.

## Masquerade everything out ppp0.# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

6.2 Destination NAT

This is done in the PREROUTING chain, just as the packet comes in;this means that anything else on the Linux box itself (routing, packetfiltering) will see the packet going to its `real' destination. Italso means that the `-i' (incoming interface) option can be used.

Destination NAT is specified using `-j DNAT', and the`--to-destination' option specifies an IP address, a range of IPaddresses, and an optional port or range of ports (for UDP and TCPprotocols only).

## Change destination addresses to 5.6.7.8# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.10## Change destination addresses of web traffic to 5.6.7.8, port 8080.# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \        -j DNAT --to 5.6.7.8:8080

Redirection

There is a specialized case of Destination NAT called redirection:it is a simple convenience which is exactly equivalent to doing DNATto the address of the incoming interface.

## Send incoming port-80 web traffic to our squid (transparent) proxy# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \        -j REDIRECT --to-port 3128

Note that squid needs to be configured to know it's a transparent proxy!

basing on Linux kernel 2.4.

directly from: http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html