Technical data

3. Base conﬁguration

The NAT-Chains (Network Address Translation)

Packets still can be changed after the routing decision. For example they may get a new target

address to be forwarded to another computer (port forwarding) or a new source address may

be inserted to mask the network behind the router. Masquerading is used i.e. to provide

internet access for a private net over one public IP or a in DMZ-setup to hide the structure of

the local net from computers in the DMZ.

Conﬁguration is done with two chains, PREROUTING- and POSTROUTING-chain.

By the POSTROUTING-chain the packets are deﬁned that have to be masked by the router. If

no rule of the POSTROUTING-chain matches, the packets will be forwarded unmasked.

Two variants exist for masquerading: one for network interfaces that do get an IP ad-

dress allocated on dialin (MASQUERADE) and one for network interfaces with static IP address

(SNAT). SNAT in addition expects the source IP address to be inserted into the packet. It may

be speciﬁed as an:

• IP address (Example: SNAT:1.2.3.4),

• IP range (Example: SNAT:1.2.3.4-1.2.3.10)

• or as symbolic reference (Example: SNAT:IP_NET_1_IPADDR)

For both SNAT and MASQUERADE a port or port range may be set to which the source

port may be redirected. Usually this notation is necessary because the kernel can choose

the ports on its own. But there exist applications that desire the source port unchanged

(and thus require 1:1-NAT) or which forbid PAT (Port Address Translation) or NAPT (Net-

work Address and Port Translation). The port range is simply added to the end, like this:

SNAT:IP_NET_1_IPADDR:4000-8000.

With the POSTROUTING-chain only ACCEPT, SNAT, NETMAP and MASQUERADE may be used

as actions.

PF_POSTROUTING_N PF_POSTROUTING_x PF_POSTROUTING_x_COMMENT

A list of rules that describe which packets the router should mask resp. forward un-

masked. If packets should be excluded from masking an ACCEPT-rule for these packets

may be put in front of the MASQUERADE rule.

The PREROUTING-chain conﬁgures which packets should be transferred to another computer.

If no rule of the PREROUTING-chain matches the packets will be processed further without

changes. The action DNAT expects the IP address to be inserted as the target address. It may

be speciﬁed as an:

• IP address (Example: DNAT:1.2.3.4),

• IP range (Example: DNAT:1.2.3.4-1.2.3.10)

• or as a hostname (Example: DNAT:@client1)

At last a port or port range may be set to which the target port may be redirected. This is

only necessary if the target port should be changed. The port (range) is simply added to the

end, like this: DNAT:@server:21.