Next: Translating a Network
Up: Static Address Translation
Previous: Static Address Translation
Here I only want to show how my implementation translates not just
forwarded packets, so that packets destined for or originating from
localhost will be treated equally. This is a result of the design
of this implementation that makes NAT an additional layer around the
kernels network functions, see the figure on page
.
We have two hosts, one of them is a Linux PC using the NAT module.
Its local IP that is used to configure the network interface is 1.1.1.1,
but on the network we want to appear as134.109.192.223 to the other
host (IP 134.109.192.123).
Assuming the network (including routes!) has been configured already
on both hosts I only mention the additional steps necessary to translate
the local 1.1.1.1 address:
- Tell the NAT module to translate the IP 1.1.1.1 to 134.109.192.223
in outgoing packets and to do the reverse for incoming packets:
Using one bidirectional rule:
ipnatadm -O -i -b -S 1.1.1.1/32 -M 134.109.192.223/32
Or using two rules (equivalent to the above rule):
ipnatadm -O -i -S 1.1.1.1/32 -M 134.109.192.223/32
ipnatadm -I -i -D 134.109.192.223/32 -N 1.1.1.1
The rules can be read like this:
- insert (-i ) a bidirectional rule (-b ) into the chain
of rules:
If the packet will be sent (-O ) through any interface (no -W ),
carrying any protocol (TCP,UDP,...) (no -P ), the source IP
(-S ) is 1.1.1.1 and the port does not matter, replace the source
IP (-M ) by 134.109.192.223.
Since it is a bidirectional rule it will also match incoming packets
(opposite of -O ), if the destination IP is 134.109.192.223.
For matching packets this destination IP will be replaced by 1.1.1.1.
The NAT module knows it is the opposite direction because the NAT-function
was called from the IP packet receiving kernel function and the rule
has been bound to the out-direction.
- The two alternative rules do exactly the same, but here we don't rely
on the mechanism for bidirectional rules but do the translation manually.
Now host 2 can communicate with the NAT host using the IP 134.109.192.223,
using 1.1.1.1 won't work even if a route for this address is inserted
into host 2's routing table. Note that the implementation does not
translate IPs inside the packets, so for example non-passive FTP from
the NAT host to host 2 cannot work (wrong PORT command, it still contains
IP 1.1.1.1 but the packet comes from host 134.109.192.223 from host
2's point of view).
Next: Translating a Network
Up: Static Address Translation
Previous: Static Address Translation
Michael Hasenstein
8/22/1997