NAT
From Antcor
Contents |
NAT Rules
NAT Chains
- DNAT - Used to alter destination attributes of a packet (to redirect them).
- SNAT - Used to alter source attributes of a packet (to hide sender’s address and properties).
Configuring NAT Rules
Rules are entries in a chain consisting of several fields (criteria) that can be used to match a data packet. If all criteria are met, then the rule is matched and the packet leaves the chain, launching the action of the matching rule. From the NAT tab you can
- Select the NAT Kind
- Add, delete, edit and manage NAT rules
- Write NAT rules to the active list
Before configuring rules you must select the NAT Kind drop down list.
Configuring NAT Matching fields
To add a rule, click the "+" button. The NAT Rule Configuration for [NAT Kind] Chain dialog box appears.
SNAT/DNAT Common Fields
The following fields are common to SNAT and DNAT configuration dialog boxes.
Not Check Boxes Several fields have a Not check box beside them. The NOT field inverts the matching operation, causing a match to occur if the opposite of the rule is matched. For example, Source MAC: is configured with the specific MAC address. When the adjacent check box is selected the rule will match all packets except the ones that have the specified Source MAC address.
Source IP The Source IP field displays the Source IP address of the packet. The address can be expressed as a single IP address (e.g. 192.168.1.1/32), or as a whole IP subnet (e.g. 192.168.1.0/24). A match occurs if the source IP of the packet is exactly the same or belongs to the subnet configured.
Type the source IP address and number of subnet mask bits into the Source IP field.
Destination IP The Destination IP field displays the Destination IP address of the packet. The address can be expressed as a single IP address (e.g. 192.168.1.1/32), or as a whole IP subnet (e.g. 192.168.1.0/24). A match occurs if the destination IP of the packet is exactly the same or belongs to the subnet configured. Type the destination IP address and number of subnet mask bits into the Destination IP field.
Source Port(s) The Source Port(s) field displays the port number of the source node. A match occurs if the source port number is the same as the number in this field.
Type the source port number into the Source Port field.
Destination Port(s) The Destination Port(s) field displays the port number of the destination node. A match occurs if the destination port number is the same as the number in this field.
Type the destination port number into the Destination Port field.
Input Interface The Input Interface field displays the interface from which the packet was delivered. A match occurs if the interface that the packet arrived from is the same as the configured interface (if the configured interface is a bridge, this also matches with interfaces under the bridge).
In the Input Interface drop down list, select a specific input interface, or select ANY.
Output Interface The Output Interface field displays the interface from which the packet is to be transmitted. A match occurs if the interface that the packet will be transmitted from is the same with the configured interface (in case the configured interface is a bridge, this also matches with interfaces under the bridge).
In the Output Interface drop down list, select a specific input interface, or select ANY.
Existing Flowmark The Existing Flowmark drop down list contains Flowmarks that already have been configured. Select a Flowmark from the list to configure a Flowmark as a firewall matching rule. A match occurs if the packet was marked by this mark when it flowed through the Flowmark chain.
Protocol The Protocol drop down list contains a list of protocols that can be selected for matching. The following selections may be configured in this field:
- ALL – A match always occurs.
- TCP – A match occurs if
- The Source port is entered as a number from 0 to 65535, where 0 indicates that all ports are matched.
- The Destination port is entered as a number from 0 to 65535, where 0 indicates that all ports are matched.
- UDP - A match occurs if packet’s protocol type is UDP and,
- The Source port is entered as a number from 0 to 65535, where 0 indicates that all ports are matched.
- The Destination port is entered as a number from 0 to 65535, where 0 indicates that all ports are matched.
- ICMP - A match occurs if packet’s protocol type is ICMP
- GRE - A match occurs if packet’s protocol type is GRE
- AH - A match occurs if packet’s protocol type is AH
- ESP - A match occurs if packet’s protocol type is ESP
Source MAC Sender’s MAC address. A match occurs if the packet’s Source MAC address (in the Ethernet header) is the same.
Comment The Comment field is used to enter a string consisting of at most 30 characters to describe the rule. This field is not used for matching.
SNAT Chain Specific Fields
The following fields are available in the SNAT configuration dialog box.
Masquerade : The IP address to be assigned to outgoing packets is dynamically retrieved by the current outgoing interface’s IP address (does not need to explicitly configure the outgoing source IP address).
Translate Source IP to : The IP address (or range of IP addresses) that the source IP of the packet will change to. In case there is a range of IP addresses, a round robin algorithm is used to assign addresses.
Translate Source Port to : The range of the router’s ports used to send NATed packets and track for responses.
DNAT Chain Specific Fields
The following fields are available in the DNAT configuration dialog box.
Redirect : When a match occurs, the packet will be redirected to another port of the router.
Translate Dest IP to : The IP address (or range of IP addresses) that the destination IP of the packet will change to. In case there is a range of IP addresses, a round robin algorithm is used to assign addresses. This is used to forward the packet to another host.
Translate Dest Port to : The port that the packet will be sent to (in case there is a range of ports, a round robin algorithm is used).
