Linux Firewalls: Enhancing Security with nftables and Beyond by Steve Suehring

Author:Steve Suehring [Suehring, Steve]
Language: eng
Format: azw3, pdf
Publisher: Pearson Education
Published: 2015-01-22T16:00:00+00:00

NAT Semantics with iptables and nftables

Both iptables and nftables provide full NAT functionality, including both source (SNAT) and destination (DNAT) address mapping. The term full NAT isn’t a formal term; I’m referring to the capability to perform both source and destination NAT, to specify one or a range of translation addresses, to perform port translation, and to perform port remapping.

A partial implementation of NAPT, known as “masquerading” among Linux users, was provided in earlier Linux releases. It was used to map all local, private addresses to the single public IP address of the site’s single public network interface.

NAT and forwarding were often spoken of as two components of the same thing because masquerading was specified as part of the FORWARD rule’s semantics. Blurring the concepts was irrelevant functionally. Now it’s very important to keep the distinction in mind. Forwarding and NAT are two distinct functions and technologies.

Forwarding is routing traffic between networks. Forwarding routes traffic between network interfaces as is. Connections can be forwarded in either direction.

Masquerading sits on top of forwarding as a separate kernel service. Traffic is masqueraded in both directions, but not symmetrically. Masquerading is unidirectional. Only outgoing connections can be initiated. As traffic from local machines passes through the firewall to a remote location, the internal machine’s IP address and source port are replaced with the address of the firewall machine’s external network interface and a free source port on the interface. The process is reversed for incoming responses. Before the packet is forwarded to the internal machine, the firewall’s destination IP address and port are replaced with the real IP address and port of the internal machine participating in the connection. The firewall machine’s port determines whether incoming traffic, all of which is addressed to the firewall machine, is destined to the firewall machine itself or to a particular local host.

The semantics of forwarding and NAT are separated in iptables. The function of forwarding the packet is done in the filter table using the FORWARD chain. The function of applying NAT to the packet is done in the nat table, using one of the nat table’s POSTROUTING, PREROUTING, or OUTPUT chains:

Forwarding is a routing function. The FORWARD chain is part of the filter table.

NAT is a translation function that is specified in the nat table. NAT takes place either before or after the routing function. The nat table’s POSTROUTING, PREROUTING, and OUTPUT chains are part of the nat table. Source NAT is applied on the POSTROUTING chain after a packet has passed through the routing function. Source NAT is also applied on the OUTPUT chain for locally generated, outgoing packets. (The filter table OUTPUT chain and the nat table OUTPUT chain are two separate, unrelated chains.) Destination NAT is applied on the PREROUTING chain before passing the packet to the routing function.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.