Understanding Network Address Translation, NAT

Network Address Translation (NAT) is one of the basic functions of a circuit level gateway. The simple purpose of NAT is to hide the IP addresses of a private network from the outside world.

Normally, when a router forwards a packet from one segment to another, the packet is unchanged. With NAT, as a packet crosses from a trusted segment of a circuit level gateway to an untrusted segment, the packet is rewritten so that the packet’s source address as it appears on the private segment is replaced by a translated source address. The translated source address is what the outside world sees. Thus, the private address remains hidden from the outside world.

When a host on a public network transmits a packet to a host on the private network, the source host addresses the packet to the private host’s publicly translated address. The sender on the public side does not know the destination host’s true address. As the packet crosses the circuit level gateway, the gateway rewrites the packet so that the destination address is translated to the destination host’s private address.

This image illustrates the changes in source and destination addresses as packets cross a circuit level gateway performing network address translation

One to One Translation
One form of NAT establishes a one to one translation between an equal number of private and public host addresses. For example, each host address on a Class C network on the private side of a circuit level gateway is uniquely mapped to a corresponding host address on a Class C network on the public side of the gateway. If 10.1.1.0/24 is the private network address and 172.19.19.0/24 is the public network address, then outbound packets with a source address of 10.1.1.5 can always be rewritten with a translated source address of 172.19.19.5, and inbound packets with a destination address of 172.19.19.5 can be rewritten with a translated destination address of 10.1.1.5. The mapping is persistent and bi-directional. Therefore, connections may be initiated from either side of the circuit level gateway unless a default deny policy is applied.

Pool of Translated Addresses
One form of NAT maps a large block of addresses from the private network to a small pool of addresses on the public segment. Multiple Class A addresses may be mapped to part of a Class C network block. If 10.0.0.0/4 is the private segment’s network address and 172.19.19.0/28 is the public pool of addresses, then an outbound packet with a source address of 10.1.1.5 may be rewritten to have a translated source address of any host address in the pool of 172.19.19.0/28. The NAT gateway will then create a temporary entry in its internal translation table to track the mapping. An inbound packet’s destination address cannot be translated unless a corresponding entry exists in the NAT table. If a current translation exists in the NAT table, the inbound packet’s destination address will be rewritten in accordance with the NAT table entry. The mapping is not persistent and is only temporarily bi-directional. An inbound connection may be accepted only until the NAT table entry expires.

Single Translated Addresses
The form of NAT commonly (but not exclusively) used in commercial circuit level gateways maps any number of addresses from the private network to a single address on the public segment. Given a private segment with the network address 10.0.0.0/8 and a NAT policy that sets 172.19.19.130 as the public address, all outbound packets from the private network will be rewritten to have a translated source address of 172.19.19.130. To correctly map replies to the private host that initiated the connection, the source port number of the outbound packet must also be translated. The NAT gateway will then create a temporary entry in its internal translation table to track the translated source address and port number. An inbound packet’s destination address and port number cannot be translated unless a corresponding entry exists in the NAT table. If a current translation exists in the NAT table, the inbound packet’s destination address and port number will be rewritten in accordance with the NAT table entry. The mapping is not persistent and is only temporarily bi-directional. An inbound connection may be accepted only until the NAT table entry expires.

This image illustrates the changes in IP addresses and port numbers as packets cross a circuit level gateway performing network address and port translation.

nat Chains
netfilter implements network address translation in the nat table. This pre-defined table consists of three built-in chains, the PREROUTING, OUTPUT and POSTROUTING chains. Rules in the PREROUTING chain apply to inbound packets (packets arriving at the gateway from any direction). Rules in the OUTPUT chain apply to locally generated packets (packets that are generated on the gateway itself). Rules in the POSTROUTING chain apply to outbound packets (packets leaving the gateway in any direction).

nat Targets
The nat table includes the built-in targets MASQUERADE, SNAT, DNAT, NETMAP and REDIRECT.

The MASQUERADE target is available in the POSTROUTING chain. MASQUERADE is intended to be used where a firewall’s public side IP address is dynamically assigned, such as where an ISP assigns IP addresses by DHCP. MASQUERADE translates all private network addresses to the single address of the external interface as illustrated, performing port translation as needed and rewriting the destination address and port of replies as needed. When the firewall’s external IP address is released or changed, all translations are dropped.

The SNAT target is available in the POSTROUTING chain. SNAT may be used on a firewall with statically assigned IP addresses. SNAT provides outbound (more trusted to less trusted) network address translation to a pool of public side addresses such that the source address of each outbound packet is translated to an address from the pool, with port translation being performed as needed and the destination address and port of replies being rewritten as needed.

SNAT can use a single public side address as an alternative to a pool of addresses, making SNAT comparable to MASQUERADE. However, SNAT should not be used with dynamically assigned public addresses.

Conversely to SNAT, the DNAT target is available in the PREROUTING and OUTPUT chains and provides inbound (less trusted to more trusted) network address translation. When a connection is initiated from a less trusted network, the destination address is the address of the firewall interface that faces the originating network. DNAT translates the destination address to the address of a host on a more trusted segment. Optionally, the destination port may also be translated. The source address and port of replies from the more trusted segment will be rewritten as needed.

DNAT can use a pool of destination addresses and ports, providing a simple circuit level method of performing load balancing across a number of hosts such as a farm of web servers.

The NETMAP target provides static one to one translation between two network blocks of equal size.

The REDIRECT target is available in the PREROUTING and OUTPUT chains. REDIRECT translates the destination IP address of each packet arriving on any interface to the IP address of the interface on which the packet arrived. For example, REDIRECT will translate the destination address of any packet arriving at eth2. Optionally, the destination port may also be translated. Among other uses, REDIRECT facilitates use of transparent proxies whereby client software such as web browsers may be automatically redirected through the firewall to a proxy server without reconfiguration on the client side.

Wireless Basics Finding Answers

As a Linux user the best way to begin solving your wireless problems is to develop a basic understanding of how wireless fits into networking and to understanding the terminology describing wireless. These links are designed to also provide a number of examples of how to set up wireless on Ubuntu 8.10, Fedora 10 and Damn Small Linux. Those different examples cover just about all of the different options that you will see for wireless.

Here are a number of links that take you through the process of understanding how Linux Wireless can be set up and configured on several different Linux distros.

Helpful Wireless Links

Understanding Wireless

Network Relationship

Network Connections

Wireless Security

Wireless Router

Wireless Channels

Wireless Range

Fedora 10 Wireless

Ubuntu Wireless

Damn Small Linux Wireless

Wireless Tools

WiFi Radar

iwconfig

iwlist

Create an Automatic Backup When You Logout

Customize the User Environment

The environment is comprised of a series of settings that provide a look and feel that the user is comfortable with or that the corporation deems necessary to create a productive work setting. Bash provides systematic ways to setup an environment that will meet your needs to help you function more effectively. One of those settings should be some kind of automatic backup when you logout for the day.

There are three files that are read when a user logs in and out. These files are typically in the user directory by default when using the bash shell. The files are hidden files so they are preceded by a “.” and may be viewed by using the command:

ls -la

The files are .bash_profile, .bash_logout, and .bashrc. If these three files do not exist in your home directory they can be created by using a text editor like vi.

You may also see .bash_history which keeps a list of the commands that the user has executed.

Any changes you make to this script must be saved and then you must logout and login again. However it is possible to use the source command which will run all of the commands that are in the script:

source .bash_profile

Now there is a catch, bash provides a way for a system to use two alternative files other than .bash_profile, these files are .bash_login or .profile. If either of these files is listed and .bash_profile is not then they will run, but if .bash_profile is listed it will run.

The .bash_profile is read by the system and executes any command located there only when a user logs into the system, and not when a user starts a new shell. When the user starts a new shell .bashrc file is read. This setup allows the user to separate the commands needed at startup and those that may be important when starting a subshell.

The .bash_logout provides a way to execute commands when the user logs out of the system. One useful application for this in a user’s home directory is that an administrator can provide a way to kill all of the user’s applications when logging out just in case an application was not closed correctly or that hangs.

Here is an example of a simple command that copies all OpenOffice Writer files to a USB device in a directory called MyDocs when the user logs out.

Create a file named .bash_logout in the users home directory if it has not been created already. In that file use this command in a line and save the file:

cp Documents/*.odt /media/usb/MyDocs

Note the case and that since the command will be issued from the user’s home directory the path is simply the Documents directory. Of course this command will require the user to save all the Writer files they want to copy into the Documents directory or they will not be copied. You will also need a directory called MyDocs in the USB device.

Logout Script
This script will rsync the root user’s home directory to a local backup.

Open .bash_logout or create it with vi .bash_logout in the root user’s home directory. Create a backup directory with:

mkdir /bk/root_bk

Of course this location should be on a separate drive and you will need permissions to access that drive. It could be a USB drive that is mounted as /bk.
Enter this line of code in the .bash_logout:

rsync -avz –exclude=*.rpm /root/ /bk/root_bk
chmod -R 700 /var/root_bk

Test the script by logging out and then login in again.

Simple script but you get the idea. Placing an automatic backup in that logout script will be worth gold if you have problems with your drive.

Wanted: A Career as a Linux Admin

Here is a unique Linux Career Opportunity. We are currently looking for 1-3 people interested in developing into Linux Admins/Trainers. Our interest is in people we can train and develop over a 60 week course. What is unique about this course is that you will work for us while you are training. This will offset the cost of the course by as much as 50%. The course is $400 a month for the 15 months but up to $200 each month will provided by your work, writing for us. This means that you can get the course for half-price if you can keep up with the work load.
This course is put on by CyberMontana Inc. which trains as many as 75 students each week. We have a number of Linux training sites and business options.

What we are looking for:

1. Self-Motivated Individual

We are looking for someone who can get assignments done on their own. They can do research, problem solving and create documentation without needing someone’s help.

2. Ability to Write

Individuals who are interested must be willing and able to write clearly and be able to express themselves in English so that other can understand.

3. Tenacious

Problems are hard to solve at times. We need people who will aggressively pursue the problem solution until they can arrive at a solution. We are not interested in quitters.

4. Ability to Train with Patience

People are not easy to work with at times. We need trainers who will be patient and diligent despite difficulties with students.

5. Innovation

We are looking for people who have new ideas and new ways of working with technology. The Internet and Linux specifically is rapidly changing.

Outline of the Course
Stage 1: Basic Training (20 weeks)

The Basic Training Section will include 10 weeks of Server Administration and 10 weeks of LPI Certification Training. The goal of this section will be to not only test your desire to learn difficult information but provide you will the information to get LPI Certified, Linux + Certified or RHCT.

Stage 2: Disto Expert (20 weeks)

The second 20 weeks will focus on helping you become an expert in one Linux distribution. During this time you will be required to write extensively and set up a test lab in order to focus on skills with one distribution. This will be foundational for your future as an Admin/Trainer.

Stage 3: Project Documentation (20 weeks)

You will be assigned projects to document and provide solutions. During this section you may be assigned jobs with clients or act as a trainer in specific situations. This will all be done under supervision.

The ultimate goal is to not only provide you with the training and certifications that will get you into a Linux Career but also work toward providing you with a job.

If this looks like something you are interested in please send a 500 word example of your writing skills on a Linux topic and a resume to:

mike at beginlinux.com

This opportunity will be open to several individuals each quarter, you will have to apply to see if we have current openings.

Logwatch Fix on Ubuntu 8.10

Logwatch Error
Logwatch is a program that will parse your logs and send you an email every day about what has taken place on your server, a very friendly program.

Installation is simple:
apt-get install logwatch

Edit the config file in /usr/share/logwatch/default.conf/logwatch.conf

Basically all you have to do is change the:

mailto = your_email_address

With Ubuntu I kept getting this error, though I checked, I could not find a solution so, as it looked like it was missing a location /var/cache/logwatch, I created one and it worked perfectly.

# logwatch
/var/cache/logwatch No such file or directory at /usr/sbin/logwatch line 632.

sudo mkdir /var/cache/logwatch

Now run the program as root with:

logwatch

or run in debug mode to get more information.

logwatch –debug 6

That will provide a lot of info.