Simple symmetric NAT Setup using IPTABLES

Hello every one, can anyone tell me how could i setup symmetric NAT
using IPTABLES

I want to setup symmetric NAT as below:

[192.168.0.2]--------[192.168.0.1][172.25.25.41]-------[172.25.25.42]
[clientA] [SYmmetric NAT Server for ClientA] [clientB]


I tried the script as below, but it assigns different ports even when
clientA sends message to the same recipient.

iptables -A PREROUTING -t nat -d 172.25.25.41 -i eth0 -j DNAT --to
192.168.0.2
iptables -A FORWARD -d 192.168.0.2 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT
--to 172.25.25.41:7070-7074
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.2 -j SNAT --to
172.25.25.41

echo "1" > /proc/sys/net/ipv4/ip_forward


regards,

Asif wrote:
> Hello every one, can anyone tell me how could i setup symmetric NAT
> using IPTABLES
>
> I want to setup symmetric NAT as below:
>
> [192.168.0.2]--------[192.168.0.1][172.25.25.41]-------[172.25.25.42]
> [clientA] [SYmmetric NAT Server for ClientA] [clientB]

Just what are you trying to accomplish? What protocol? Is there some
reason for not using an application gateway (eg., one not available)?

> I tried the script as below, but it assigns different ports even when
> clientA sends message to the same recipient.

Yup. That's the way the netfilter works. The same effect is seen when
using a range of IP addresses -- ie., each _packet_ would have a
different (+1) IP src from the previous packet.

> iptables -A PREROUTING -t nat -d 172.25.25.41 -i eth0 -j DNAT --to
> 192.168.0.2
> iptables -A FORWARD -d 192.168.0.2 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT
> --to 172.25.25.41:7070-7074
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.2 -j SNAT --to
> 172.25.25.41
>
> echo "1" > /proc/sys/net/ipv4/ip_forward

This is clearer than your previous post, but we still don't know just
what you're trying to do. The solution is usually _protocol_ specific
and often the easiest/best solution is an applicatioin gateway.

So let us know what application protocol you're wanting to NAT, why you
think "symmetric NAT" is the solution, and a better sense of the
routing _policy_context_ it must opperate in.

IE., why NAT at all? Is this just an "internal lan" NAT? Is the NAT
taking place on a box with ethX=192.168.0.1 and ethY=172.25.25.41? Is
the NATing supposed to provide greater security or controlled
connectivity or what? Is there some reason that NATing on the
originating host will not work?

It might help also to _comment_ your iptables commands line-by-line so
we have a better idea of _why_ you think the above would/should work.
Chances are you will find that trying to do this in this way is _far_
too complex and error prone -- the _way_ that netfilter works
_internally_ is counter-intuitive in several contexts (like your
present efforts) and has places that can bite you really good.

increase our understanding,
prg

Thanks prg, sorry for not providing this information in my previous
post.

Actually I am working on SIP application. SIP has the problem on NATes
networks. STUN is one of the solutions. I have embedded STUN client
functionality inside SIP application. Now i have to test the
application. There are four scenerios of NATed network:

The following chart shows combinations of NATs at each endpoint with
the current NAT type definitions in STUN. The combinations are
classified into 4 groups: Class I, II, III and IV.

+----------+-----+-----+-----+-----+-----+
|\ EP-R| | | | | |
| -------- |Open | F | P | PR | SYM |
|EP-S \| | | | | |
|----------+-----+-----+-----+-----+-----+
| Open | | | |
|----------+ | | |
| F | | |(III)|
|----------+( I )| ( II ) | |
| P | | | |
|----------+ | +-----+
| PR | | | |
|----------+ | +-----+ |
| SYM | | | (IV) |
+----------+-----------------+-----------+
Note:
EP-S: Sending endpoint.
EP-R: Receiving endpoint.
(In full-duplex, both EP-a and EP-b in Figure 3.1
will have both EP-S and EP-R)
Open: Open to public network (no NAT)
F : Full-cone NAT
R : Restricted-cone NAT
PR : Port restricted-cone NAT

For setting up a test environment, I decided to setup as below:



192.168.0.2
+----------+
| ClientA |
+----------+
|
|
| eth1 eth0
| 192.168.0.1 | 172.25.25.41
+-------------|-------------+
| NAT1 |
+-------------|-------------+
|
|
|
172.25.25.42 |
+---------------------------+
|Proxy\Registrar,STUN Server|
+---------------------------+
|
|
eth1 eth0 |
10.0.0.1 |172.25.25.43 |
+-------------|-------------+
| NAT2 |
+-------------|-------------+
|
|
|
| 10.0.0.2
+----------+
| ClientB |
+----------+



172.25.25.X ---- LAN (External Network for client A and B)
192.168.0.X ---- Private Network 1 (Internal Network for Client A)
10.0.0.X ---- Private Network 2 (Internal Network for Client B)

ClientA and ClientB are sip clients with STUN functionality embedded.

NAT1 and NAT2 are internal LAN NAT. I mean for testing purpose, i have
used two machines with two network cards.


below is the configuration of NAT1 using iptables. Also I am
configuring it for UDP protocol as SIP application is using UDP for
both signaling and media streaming.

> iptables -A PREROUTING -t nat -d 172.25.25.41 -i eth0 -j DNAT --to 192.168.0.2
This tells NAT1 to change the destination of the packet recieved on
eth0 to clientA address whenever the destination is eth0 (172.25.25.41)

> iptables -A FORWARD -d 192.168.0.2 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
For forwarding the packets from eth1 and to remember its state

> iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to 172.25.25.41:7070-7074
to change the source address of the packet to a pool of address
before routing to eth0. My intention was to make it symmetric.

> echo "1" > /proc/sys/net/ipv4/ip_forward
to set the ip_forward table ON



The above commands I used for making NAT1 symmetric, For making it
port restricted, I change the POSTROUTING command above and make it
like this:
> iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to 172.25.25.41:8080
Here NAT1 will change the source address of ClientA packets to same
address for routing. I am using it for testing purpose so it will work
as long as only one client exists in Private Network 1.


For making NAT1 restricted, I change the above POSTROUTING command
and make it like this:
> iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to 172.25.25.41


For making it FULL CONE NAT, i have to think about it.


So what I want is a test environment for my SIP application. I can't
use application Gateway, as only NAT will work here because after
testing here, i will try to test it on some real environment. I wants
IPTABLE commands that can do the above task. Please suggest some thing
if you have some better option in your mind. Like If there is some
application that can setup NAT as mentioned above or if I can test my
application on some public STUN and proxy servers on the Internet.
ALso, if you think this can be performed by some utility on some
different OS like Windows, pleass suggest me.


regards,

Asif