SNAT (Source Network Address Translation) and DNAT (Destination Network Address Translation) are two important techniques in Network Address Translation (NAT), which play a key role in realizing the communication between internal and external networks. They play a key role in realizing the communication between internal and external networks. The following is a detailed explanation of these two techniques and their main uses:
I. SNAT (Source Network Address Translation)
define: SNAT is a technique that replaces the source IP address with a public IP address when IP packets are sent from an internal network to an external network. This translation allows multiple devices on the internal network to access the external network by sharing one or more public IP addresses.
Working Principle: When a device in the internal network sends a packet to the external network, the packet passes through a NAT device (such as a router or firewall), and the NAT device automatically replaces the source IP address of the packet with the configured public IP address. In this way, all packets from the internal network seen by devices on the external network appear to come from the same public IP address.
main application:
-
address sharing: Allows multiple internal devices to share one or more public IP addresses to access the Internet, thus saving public IP resources.
-
load balancing: In a load balancing scenario, SNAT can replace the source IP address of an internal server with the IP address of a load balancer for traffic distribution and load balancing.
-
safety: By hiding the actual IP address of the internal network, SNAT enhances the security of the internal network and prevents direct external attacks on internal devices.
-
Simplified Network Configuration: The use of SNAT allows greater flexibility in planning addresses and simplifies the design and configuration of internal networks.
II. DNAT (Destination Network Address Translation)
define: DNAT is a technique that replaces the destination IP address with an IP address in the internal network when IP packets are sent from the external network to the internal network. This translation allows devices in the external network to access specific devices or services in the internal network through public IP addresses.
Working Principle: When a packet from the external network arrives at the NAT device, the NAT device checks the destination IP address and port number of the packet and replaces it with the corresponding IP address and port number in the internal network according to the configured DNAT rules. The packet is then forwarded to the specified device in the internal network.
main application:
-
port mapping: Maps public IP addresses and port numbers in the external network to private IP addresses and port numbers in the internal network for remote access, web hosting, and other functions.
-
load balancing: When distributing external traffic to multiple internal servers, DNAT can forward traffic to different servers based on load balancing policies.
-
safety: By hiding the actual IP address and port number of the internal network, DNAT can enhance the security of the internal network to a certain extent.
scenario
-
Internal network: 192.168.1.0/24
-
External network: Internet, assuming a public IP of 1.2.3.4 obtained through an ISP.
-
Internal server IP: 192.168.1.100, wishing to provide services externally (e.g. web services)
-
NAT server/firewall IP: 192.168.1.1 for intranet, 1.2.3.4 for extranet
3.1 Adding SNAT Rules
To allow external access to the internal server, we first need to forward packets arriving on a specific port (e.g., port 80 for HTTP) on the NAT server's public IP (1.2.3.4) to the corresponding port on the internal server.
# Add SNAT rules
# Set the source address to 192.168.1.0The source address of the packet for /24 is changed to 1.2.3.4
# Assuming the outgoing interface is eth0 (the interface to the external network), you need to replace the
iptables-t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 1.2.3.4
Allowing external access to an internal server requires that packets arriving on a specific port (e.g., port 80 for HTTP) on the NAT server's public IP (1.2.3.4) be forwarded to the corresponding port on the internal server.
# Add DNAT rules.
# Set the destination address to 1.2.3.4 and the destination port is 80 change the destination address of the packet to 192.168.1.100
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:80
-
-
-A PREROUTING
: Add a rule to the PREROUTING chain. the PREROUTING chain is used to process packets coming into the local machine before routing decisions are made. This means that for packets entering the local machine, they are first processed by the rules in the PREROUTING chain. -
-d 1.2.3.4
: Specify that packets with a destination IP address of 1.2.3.4 will be matched by this rule. This means that this rule will only take effect if the destination address of the packet is 1.2.3.4. -
-p tcp
: Specifies that the protocol type is TCP. which means that only packets of the TCP protocol will be matched by this rule. -
--dport 80
: Specifies that the destination port is 80. which means that only TCP packets with a destination port of 80 will be matched by this rule. -
-j DNAT
: Specifies that the action that should be performed for packets that satisfy the conditions is DNAT (Destination Address Translation).DNAT is used to convert the destination address and/or port number of a packet to other values. -
--to-destination 192.168.1.100:80