Network address translation – RuggedCom RuggedRouter RX1000 User Manual

RuggedRouter



User Guide

The netfilter system uses rulesets, collections of packet classification rules that
determine the outcome of examination of a specific packet. The rules are defined by
iptables, a generic table structure syntax and utility program for the configuration and
control of netfilter.
In practice an iptables rule file and a script are all that are needed to load the netfilter
system with rules on upon router start up. The iptables rules, however, are somewhat
difficult to configure and manage.
The Shoreline Firewall, often known as shorewall, offers a more convenient
approach. Shorewall is really just a front end to netfilter, maintaining the information
used to generate the iptables rules in a less complicated form.
Shorewall itself does not provide a graphical front end, and instead assumes
administrators will have a fair amount of familiarity with reading and editing Linux
configuration files. The RuggedRouter comes with a GUI front that simplifies some
of the management aspects.

Network Address Translation

Network Address Translation (NAT), enables a LAN to use one set of IP addresses
for internal traffic and a second set for external traffic. The NAT function of netfilter
makes all necessary IP address translations as traffic passes between the intranet and
Internet. NAT is often referred to in Linux as IP Maquerading.

NAT itself provides a type of firewall by hiding internal IP addresses.
More importantly, NAT enables a network to use more internal IP addresses. Since
they're used internally only, there's no possibility of conflict with IP addresses used
by other organizations. Typically, your internal network will be setup to use one or
more of the reserved address blocks described in RFC1918, namely:

10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
192.168.0.0/16 (192.168.0.0 - 192.168.255.255)
As packets with these address reach the NAT gateway their source address and source
TCP/UDP port number is recorded and the address/port number is translated to the
public IP address and an unused port number on the public interface. When the
Internet host replies to the internal machine's packets, they will be addressed to the
NAT gateway's external IP at the translation port number. The NAT gateway will
then search its tables and make the opposite changes it made to the outgoing packets
and forward the reply packets on to the internal machine.
Translation of ICMP packets happens in a similar fashion but without the source port
modification.
NAT can be used in static and dynamic modes. Static NAT masks the private IP
addresses by translating each internal address to a unique external address. Dynamic
NAT translates all internal addresses to one (or more) external address(es).

104 RuggedCom