setting up symmetric NAT

Hello everyone, i want to setup Symmetric NAT using IPTABLES as shown
below


-----------------
------------------------------------
-----------------------

192.168.0.2----------------------192.168.0.1|172.25.25.4------------------------172.25.25.0/255

-----------------
------------------------------------
-----------------------
ClientA PC with two network cards
Different PC's on LAN
on which NAT for client A
that can act as client B
is to be setup

can anyone tell me the commands that can setup NAT as above.

regards,

Asif

(E-Mail Removed) wrote:
> Hello everyone, i want to setup Symmetric NAT using IPTABLES as shown
> below
>
>
> -----------------
> ------------------------------------
> -----------------------
>
> 192.168.0.2----------------------192.168.0.1|172.25.25.4------------------------172.25.25.0/255
>
> -----------------
> ------------------------------------
> -----------------------
> ClientA PC with two network cards
> Different PC's on LAN
> on which NAT for client A
> that can act as client B
> is to be setup
>
> can anyone tell me the commands that can setup NAT as above.

honestly, i cannot see any schema behind the clutter above, please
remember we all have different mail clients and settings.

However, symmetric NAT is an interesting issue, do you have a real usecase?

Eric

Actually I am working on SIP application. SIP has the problem on NATes
networks. STUN is one of the solutions. I have embedded STUN client
functionality inside SIP application. Now i have to test the
application. There are four scenerios of NATed network:

The following chart shows combinations of NATs at each endpoint with
the current NAT type definitions in STUN. The combinations are
classified into 4 groups: Class I, II, III and IV.

+----------+-----+-----+-----+-----+-----+
|\ EP-R| | | | | |
| -------- |Open | F | P | PR | SYM |
|EP-S \| | | | | |
|----------+-----+-----+-----+-----+-----+
| Open | | | |
|----------+ | | |
| F | | |(III)|
|----------+( I )| ( II ) | |
| P | | | |
|----------+ | +-----+
| PR | | | |
|----------+ | +-----+ |
| SYM | | | (IV) |
+----------+-----------------+-----------+
Note:
EP-S: Sending endpoint.
EP-R: Receiving endpoint.
(In full-duplex, both EP-a and EP-b in Figure 3.1
will have both EP-S and EP-R)
Open: Open to public network (no NAT)
F : Full-cone NAT
R : Restricted-cone NAT
PR : Port restricted-cone NAT

For setting up a test environment, I decided to setup as below:

192.168.0.2
+----------+
| ClientA |
+----------+
|
|
| eth1 eth0
| 192.168.0.1 | 172.25.25.41
+-------------|-------------+
| NAT1 |
+-------------|-------------+
|
|
|
172.25.25.42 |
+---------------------------+
|Proxy\Registrar,STUN Server|
+---------------------------+
|
|
eth1 eth0 |
10.0.0.1 |172.25.25.43 |
+-------------|-------------+
| NAT2 |
+-------------|-------------+
|
|
|
| 10.0.0.2
+----------+
| ClientB |
+----------+

172.25.25.X ---- LAN (External Network for client A and B)
192.168.0.X ---- Private Network 1 (Internal Network for Client A)
10.0.0.X ---- Private Network 2 (Internal Network for Client B)

ClientA and ClientB are sip clients with STUN functionality embedded.

NAT1 and NAT2 are internal LAN NAT. I mean for testing purpose, i have
used two machines with two network cards.

below is the configuration of NAT1 using iptables. Also I am
configuring it for UDP protocol as SIP application is using UDP for
both signaling and media streaming.

> iptables -A PREROUTING -t nat -d 172.25.25.41 -i eth0 -j DNAT --to 192.168.0.2

This tells NAT1 to change the destination of the packet recieved on
eth0 to clientA address whenever the destination is eth0 (172.25.25.41)

> iptables -A FORWARD -d 192.168.0.2 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

For forwarding the packets from eth1 and to remember its state

> iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to 172.25.25.41:7070-7074

to change the source address of the packet to a pool of address
before routing to eth0. My intention was to make it symmetric.

> echo "1" > /proc/sys/net/ipv4/ip_forward

to set the ip_forward table ON

The above commands I used for making NAT1 symmetric, For making it
port restricted, I change the POSTROUTING command above and make it
like this:
> iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to 172.25.25.41:8080

Here NAT1 will change the source address of ClientA packets to same
address for routing. I am using it for testing purpose so it will work
as long as only one client exists in Private Network 1.

For making NAT1 restricted, I change the above POSTROUTING command
and make it like this:

> iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to 172.25.25.41

For making it FULL CONE NAT, i have to think about it.

So what I want is a test environment for my SIP application. I can't
use application Gateway, as only NAT will work here because after
testing here, i will try to test it on some real environment. I wants
IPTABLE commands that can do the above task. Please suggest some thing
if you have some better option in your mind. Like If there is some
application that can setup NAT as mentioned above or if I can test my
application on some public STUN and proxy servers on the Internet.
ALso, if you think this can be performed by some utility on some
different OS like Windows, pleass suggest me.

regards,

Asif