Monday, July 14, 2008

Iptables: DNAT

DNAT stands for Destination NAT. It is a type of NAT. The other one is SNAT which stands for Source NAT. What's the difference I hear you ask. Good question! :) DNAT changes destination of relevant packets. SNAT changes the source of relevant packets. Last week, my boss asked me to open an internal system in order to be accessed publicly.

Let's say my internal system server's IP is 192.168.2.123 and the system is a web-based system (port 80). It is behind a firewall which has a public IP say 111.222.333.444. To access the internal system from internet, the firewall IP should be used as a gateway to reach the internal system server.

Internet ----> Firewall ----> Internal system

I want to make any packets destined to port 3256 on firewall should be NAT'ed to internal system server on port 80. So the DNAT in firewall is:

iptables -t nat -I PREROUTING -s ! 192.168.2.0/24 -p tcp --dport 3256 -j DNAT --to 192.168.2.123:80

There you go. All packets destined to firewall on port 3256 will be redirected to internal system server on port 80. There are other ways to achieve this using other tools like xinetd but I leave that one for exercise for readers. :)

No comments: