The "nat" command perfoms network address translation according to RFC1631. NAT allows to solve to some extent the problem of IPv4 address space exhausting. It means that several computers in the given LAN may connect to the Internet via the same public IP address. One IP address space is remapped into another by modifying network IP address information in the packets header during their transmission through the routing device.
As it’s known (rfc1918), some part of the IPv4 address space is reserved for using in so called private IP networks. Internet backbone routing protocols do not advertise these addresses, which allows to use the same addresses in different Internet segments. These addresses are used by ISP's and enterprises to build internal transport environment and/or to connect small subscriber communities.
|
Syntax:
local_acl (-acl) - ACL local networks list and public address argument: $NAME [public_addr|dhcp IFNAME] [-exclude $DSTACL] [enable|disable|delete] maxlinks (-ml ) - maximal links number argument: NUM ignore_incoming (-i ) - ignore unknown incoming connections argument: [yes|no] same_ports (-sp ) - try to keep original port numbers for connections argument: [yes|no] verbose (-v ) - verbose mode, dump packet information argument: [yes|no] stat (-s ) - NAT statistic redirect_port (-rpo) - redirect a port (or ports) for incoming traffic argument: tcp|udp|ras|cs local_addr:local_port_range[,...] [public_addr:]public_port_range [remote_addr[:remote_port_range]] redirect_proto (-rpr) - redirect packets of a given proto argument: proto local_addr [public_addr [remote_addr]] redirect_address (-ra ) - define mapping between local and public addresses argument: local_addr[,...] public_addr proxy_rule (-pr ) - add transparent proxying / destination NAT argument: [type encode_ip_hdr|encode_tcp_stream] [port xxxx] [server [a.b.c.d]:yyyy] [proto tcp|udp] [src <addr>[/mask]] [dst <addr>[/mask]] default_h323 (-dh ) - use default H.323 ports for outgoing connections argument: [yes|no] h323_destination (-hd ) - describe H.323 outgoing connection argument: ras|cs remote_addr[:remote_port] [local_addr[:local_port]] proxy_only (-po ) - transparent proxy only, no aliasing argument: [yes|no] skinny_port (-skp) - set the TCP port for the Skinny Station protocol argument: port del (-del) - delete nat rule argument: rule_number enable (ena ) - enable nat translation disable (disa) - disable nat translation |
|
By using the "ifconfig" command set the public IP-address "123.1.1.1/32" for the "rf5.0" interface. Enable a dynamic routing for public IP-address by entering the "rip start" command.
Create an access list with "192.168.1.0/24" as the only network (our local network) and set the "123.1.1.1" IP-address as public for this network.
Or use the address received by the DHCP protocol as a public address. DHCP server has issued an IP-address through the "eth0" interface.
Allow the NAT module to perform the address translation in accordance with established rules.
| ||||
In following example, all incoming TCP connections to the 7777 port of this router are redirected to the host with the "192.168.1.5" IP-adress, port 23 (telnet).
All incoming TCP packets with "public_port_range" 3300-3399 and destination address "123.1.1.2" are redirected to the "192.168.1.4" address. Port mapping is "1 to 1", i.e. 3300->2300, 3301->2301.
| ||||
The IRC-server is running on the client A and the WEB-server is running on the client B. Then in order to make it work, connections accepting on ports 6667(irc) and 80(web), should be redirected to the appropriate hosts.
| ||||
NAT settings in this example provide the redirection of all traffic incoming to the "192.1.1.1" IP-address to the LAN address "192.168.1.2", and traffic incoming to "192.1.1.2" is redirected to "192.168.1.3".
| ||||
All outgoing LAN TCP packets destined for port 80 will be redirected to provider proxy server.
| ||||
NAT and H.323 telephony Subscribers and gatekeepers use several H.323 protocols. We are interested in two. RAS (registration, admission, status) used for subscriber registration on the gatekeeper and to monitor subscriber status. CS (call signaling) used by subscribers for signaling established for a specific call. Both these protocols described H.225.0 standard. Well known system configurations includes the following examples. | ||||
A subscriber resides in a LAN, and a gateway has a public IP-address. A subscriber makes outgoing calls only. Use the "h323_destination" parameter to provide for a subscriber from a local network an access to the gateway by the CS protocol. If the gateway accepts calls incoming to the 1720 well-known port, it is enough to turn the "default_h323" mode on. The subscriber resides in the LAN and has the "10.0.0.99" IP-address, the gateway has the "123.45.67.89" IP-address and resides in the Internet. Allow subscriber outgoing calls to the gateway by using following command:
The subscriber resides in the LAN and has the "10.0.0.99" IP-address, a gateway or several gateways are in the Internet with unknown addresses. Allow subscriber outgoing calls to the gateway by using following command:
| ||||
Several subscribers reside in a LAN, a gateway has a public IP-address, calls are both incoming and outgoing. For access from the gateway to the subscribers the "redirect_port" command should be used with the "cs" protocol specified, different alias addresses or ports. Directly specify gateway port and address (subscriber ports may be specified as well). Subscribers reside in the LAN having addresses "10.0.0.98" and "10.0.0.99", gateway resides in the Internet having address "123.45.67.89". NAT "alias_address" is "123.45.67.65". Allow subscribers to make outgoing calls to the gateway and to receive incoming calls from the gateway by using following command:
| ||||
A subscriber resides in a LAN, gets registered on the gatekeer with public IP-address and works via gatekeeper. To specify the "h323_destination ras" command and the gatekeeper address will be enough in this case. The "default_h323" mode can be enabled if subscribers make registration on the standard port 1719. A subscriber resides in the LAN having the "10.0.0.99" IP-address, gatekeeper resides in the Internet having the "123.45.67.89" address. Allow the subscriber to get registered on the gatekeeper, for making and receiving calls, by using following command:
Several subscribers reside in a LAN, the gatekeeper in the Internet has the "123.45.67.89" IP-address and non-RAS standard port 1024. Allow any subscriber to get registered on the gatekeeper for making and receiving calls, by using following command:
A subscriber resides in a LAN having the "10.0.0.99" IP-address and a gatekeeper or several gatekeepers reside in the Internet with unknown addresses. Allow the subscriber to get registered on unknown addresses, by using following command:
| ||||
A subscriber with the private IP-address gets registered on the gatekeeper from LAN. The "redirect_port" rule with ras protocol, its private IP-address and a gatekeeper RAS port must be specified to enable subscribers from the Internet to be registered on the gatekeeper. Since static subscribers also should work with the gatekeeper, the "redirect_port" rule with protocol CS, a private gatekeeper IP-address and its port should be specified as well. A subscriber resides in the Internet having the "123.45.67.89" IP-address, and the gatekeeper resides in a LAN having the "10.0.0.99" address. NAT "alias_address" is "123.45.67.65". Allow subscriber registered on this gatekeeper for making and receiving calls, by using following command:
RAS gatekeeper address is "123.45.67.65:1719". Static subscriber resides in the Internet having the "123.45.67.89" IP-address and the gatekeeper resides in a LAN having the "10.0.0.99" address. NAT "alias_address" is "123.45.67.65". Allow subscriber registered on this gatekeeper for making and receiving calls, by using following command:
In the subscriber configuration the gatekeeper IP-address should be "123.45.67.65:1720". |