Enhance Linux Box Security: Iptables made easy - tutorial part 3.1

This time, we will deal with NAT rules of iptables. NAT means Network Address Translation.
It is of 2 types - SNAT & DNAT
SNAT means Source NAT, deals with Postrouting/Masquerading. The SNAT target means that this target will rewrite the Source IP address in the IP header of the packet. It's used for hiding the private IPs from the internet. Packets leaving from an internal LAN when reaches the public IP or the firewall (visible to internet) is SNATed & then transferred to the destination. It appears to the external internet as if our external public IP is the originator of the packet. Postrouting is used in case of static IPs whereas Masquerading is used in case of dynamic IPs

The `-o' option is used as it is an outgoing interface. `-j SNAT' specifies Source NAT and the `--to-source' option specifies an IP address, a range of IP addresses, and
an optional port or range of ports (for UDP and TCP protocols only).

Now go through some SNAT examples.
##Change source addresses to 10.0.0.5.

Rule 1:

# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.0.0.5

## Change source addresses to 10.0.0.5-10.0.0.10.

Rule 2:

#iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.0.0.5-10.0.0.10

##Change source addresses to 10.0.0.5, ports 1-1023

Rule 3:

#iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source 10.0.0.5:1-1023

Rule 4:

#iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT --to-source 10.0.0.1

map private source IP numbers 10.0.0.1 of interfaces on the internal LAN to one of my public static IP numbers.

Rule 5:

#iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source 192.168.0.1-192.168.0.160:1024-32000

Note:All the source ports would be confined to the ports specified. This is only valid if -p tcp or -p udp was specified. iptables will always try to avoid making any port alterations if possible, but if two hosts try to use the same ports, iptables will map one of them to another port. If no port range is specified, then if they're needed, all source ports below 512 will be mapped to other ports below 512. Those between source ports 512 and 1023 will be mapped to ports below 1024. All other ports will be mapped to 1024 or above.

## Masquerade everything out eth0.

Rule 6:

#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Note:Above rule is used when firewall may has a dynamic IP number because it connects to the internet itself via DHCP which can't be predicted.Its also independent of how a host on the internal network is assigned its own internal IP number. The host could be assigned a static IP number onan internal nonpublic network (e.g. 10. or 192.168.) or it could be itself assigned a dynamic IP number from your own DHCP server running on the firewall, or it could even have a public static IP number(which is very unlikely).

Rule 7:

#iptables -t nat -A POSTROUTING -p TCP -j MASQUERADE --to-ports 1024-31000

"--to-ports" is optional field. Either you can specify a single port like --to-ports 1025 or you may specify a port range as --to-ports 1024-3000. This alters the default SNAT port-selection as described in the rule 5 section. The --to-ports option is only valid if the rule match section specifies the TCP or UDP protocols with the --protocol match.
In next post DNAT is discussed.