Network address translation, Port forwarding, 119 14.2.4. port forwarding – RuggedCom RuggedRouter RX1100 User Manual

14. Configuring The Firewall

Revision 1.14.3

119

RX1000/RX1100™

In practice an iptables rule file and a script are all that are needed to load the netfilter system with rules
on upon router start up. The iptables rules, however, are somewhat difficult to configure and manage.

The Shoreline Firewall, often known as shorewall, offers a more convenient approach. Shorewall is
really just a front end to netfilter, maintaining the information used to generate the iptables rules in
a less complicated form.

Shorewall itself does not provide a graphical front end, and instead assumes administrators will have a
fair amount of familiarity with reading and editing Linux configuration files. The RuggedRouter comes
with a GUI front that simplifies some of the management aspects.

14.2.3. Network Address Translation

Network Address Translation (NAT), enables a LAN to use one set of IP addresses for internal traffic
and a second set for external traffic. The NAT function of netfilter makes all necessary IP address
translations as traffic passes between the intranet and Internet. NAT is often referred to in Linux as
IP Masquerading.

NAT itself provides a type of firewall by hiding internal IP addresses.

More importantly, NAT enables a network to use more internal IP addresses. Since they're used
internally only, there's no possibility of conflict with IP addresses used by other organizations.
Typically, your internal network will be setup to use one or more of the reserved address blocks
described in RFC1918, namely:

10.0.0.0/8 (10.0.0.0 - 10.255.255.255)

172.16.0.0/12 (172.16.0.0 - 172.31.255.255)

192.168.0.0/16 (192.168.0.0 - 192.168.255.255)

As packets with these address reach the NAT gateway their source address and source TCP/UDP
port number is recorded and the address/port number is translated to the public IP address and an
unused port number on the public interface. When the Internet host replies to the internal machine's
packets, they will be addressed to the NAT gateway's external IP at the translation port number. The
NAT gateway will then search its tables and make the opposite changes it made to the outgoing
packets and forward the reply packets on to the internal machine.

Translation of ICMP packets happens in a similar fashion but without the source port modification.

NAT can be used in static and dynamic modes. Static NAT masks the private IP addresses by
translating each internal address to a unique external address. Dynamic NAT translates all internal
addresses to one (or more) external address(es).

14.2.4. Port Forwarding

Port forwarding (also known as redirection) allows traffic coming from the Internet to be sent to a host
behind the NAT gateway.

Previous examples have described the NAT process when connections are made from the intranet
to the Internet. In those examples, addresses and ports were unambiguous.