Sunday, June 27, 2010

Enhance Linux Box Security: Iptables made easy - tutorial part 3.2

We were left with Destination Network Address Translation part of the NAT rules of the iptables.

DNAT Destination NAT, deals with Prerouting & used to rewrite the Destination IP address of a packet. It's used for appending the destination IP for the packets meant for our internal LAN machines. When the packet reaches our external public IP, its destination address is DNATed & the packet is transferred to the local internal LAN machine. DNAT can only be used with prerouting & output chain. It is meant for all input packets/interface therefore '-i'. Destination NAT is specified using `-j DNAT', and the `--to-destination' option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).




## Change destination addresses to 10.0.0.5.
Rule 1:
# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 10.0.0.5

## Change destination addresses to 10.0.0.5-10.0.0.10.
Rule 2:
# iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 10.0.0.5-10.0.0.10

## Change destination addresses of web traffic to 10.0.0.5, port 8080.
Rule 3:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 10.0.0.5:8080

## Send all packets destined for IP address 15.45.23.67 to a range of LAN IP's, namely 192.168.0.1 through 10. Note, as described previously, that a single stream will always use the same host, and that each stream will randomly be given an IP address that it will always be Destined for, within that stream.
Rule 4:
# iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.0.1-192.168.0.10

## Same as above, diverting the packets to a port range of an IP.
Rule 5:
# iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1:80-100

Redirection is specialized case of Destination NAT. it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface.
Its highly used in configuring a proxy server for a LAN & in linux squid server is mostly used for configuring a proxy server, using default port 3128.
## Send incoming port-80 web traffic to our squid (transparent) proxy
Rule 6:
# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

No comments:

Post a Comment