NAT with IPTables

From Debian Clusters
Jump to: navigation, search



The firewall can use IPTables to forward packets between the Internet and the internal network. IPTables is the interface to changing the built in netfilter firewall built into the Linux kernel. We'll also use IPTables to forward SSH requests for the firewall to the head node, making the firewall transparent. (Users of the cluster should interact with the head node, not the firewall.)

For my example (see Network Topology), this means that users will see something like the following. They specify the address of my firewall, eyrie, but then are deposited onto gyrfalcon, my head node.

kwanous@cassowary:~$ ssh's password:

Linux gyrfalcon 2.6.18-4-486 #1 Wed May 9 22:23:40 UTC 2007 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Most newer version of Debian (etch, sid, lenny) come with iptables installed. However, to make sure iptables installed with the latest version, run

apt-get install iptables

Configuring IPTables

IPTables is generally configured from the command line; it isn't read from a file. To make changes that "stick" after a reboot, a bash script run at startup can be used to enter all the configuration commands. We've already created a script for you - IPTables Script. Download this, save it as local, place it in /etc/init.d/, then change its status to be executable (chmod +x local/code>).

Next the file needs to be symlinked to a place where it will be loaded as the firewall is started up. Debian stores the files loaded during runtime in <code>/etc/rc*.d, where * is the runlevel: 0, 1, 2, 3, 4, 5, 6, or S. In Debian, run level 2 is the normal run level. /etc/rcS.d stores the scripts that are run regardless of the run level. Within a given run level directory, the scripts are run in order of lowest to highest numbered. Symlinks that start with S are executed with the argument start, K (for kill) ones are executed with stop.

To be the most secure and not allow any slips while the server is started up, the local script needs to be executed before the networking script. Networking is S40networking, so S39 will do. Symlink the file with

ln -s /etc/init.d/local /etc/rcS.d/S39local

or to /etc/rc2.d/S39local if you prefer.

Understanding the Iptables Commands

This iptables commands in the script use bash variables set earlier in the script, but they could just as easily be specified in plain within the script. Be sure to change the values to fit your network. $LOCALNET should be the IP range of the local network specified as a CIDR mask, and $EXTERNIP should be the IP address for the firewall's external interface. $SSHHOST should be the head node's IP address.

Source Network Address Translation (SNAT)

The first iptables command does the SNAT - translating packets generated by computers on the internal interface to go out to the Internet. Any machines seeing packets on the Internet from the cluster will see them as coming from the firewall, and they will respond to the firewall. Rather than accepting the packets themselves, the firewall them forwards them to the inside of the network.

iptables -t nat -A POSTROUTING -d ! ${LOCALNET} -j SNAT --to ${EXTERNIP}
  • -t nat specifies that this rule's type is network address translation (NAT), aka IP masquerading
  • -A POSTROUTING appends a rule to the POSTROUTING chain, meaning it will be processed after all the other possible processing has been done
  • -d ! ${LOCALNET} means any packets destined for an IP not within ${LOCALNET}
  • -j SNAT means to jump to the SNAT rule
  • --to ${EXTERNIP} specifies that any packets leaving will assume the IP ${EXTERNIP}

All together in English, this rule says to take any packets not destined for sources within the internal network and send them out to their destination on the outside network after changing the source destination IP address to the firewall's IP.

Destination Network Address Translation (DNAT)

This rule does just the opposite. It takes SSH packets coming in from the Internet and sends them along to the head node.

iptables -t nat -A PREROUTING --dst ${EXTERNIP} -p tcp --dport 22 -j DNAT --to-destination ${SSHHOST}
  • -t nat specifies network address translation (NAT), aka IP masquerading
  • -A PREROUTING appends a rule to the PREROUTING chain, meaning that this will take affect before any rules have a chance to work on the packet
  • --dst ${EXTERNIP} specifies original the destination of the packet (to the firewall)
  • -p tcp specifies tcp as the protocol
  • --dport 22 specifies the destination port of the packet
  • -j DNAT means to jump to the rule DNAT to do the destination network address translation

In English, this means to take any packets addressed to the firewall that are TCP packets on port 22 (SSH), change their destination to the head node, and forward them on to the internal network. This could be changed to forward all tcp packets inside by removing --dport 22, but a firewall that forwards everything inside the internal network wouldn't be much of a firewall.

Starting and Stopping NAT

Since the local script has been symlinked into the /etc/rcS.d/ or /etc/rc2.d/ directory, it will automatically load at boot. To start and stop the script from the command line, use

/etc/init.d/local start


/etc/init.d/local stop

Since this script is responsible for allowing the nodes inside the firewall their Internet access, be advised that stopping this script will kill the Internet connection to any machines behind the firewall.


Personal tools

node images
web monitoring