Page archived courtesy of the Geocities Archive Project https://www.geocitiesarchive.org
Please help us spread the word by liking or sharing the Facebook link below :-)


NAT.


Introduction

NAT means Network Address Translation. The basic funcionality is to reconvert the internal IP address in a network to a public pool of address. This feature allows that many hosts can access resources in Internet when a limited range of address are allowed to do that.

The efect of NAT is that the internal address are hidden to the Internet hosts, only the public address can be known. This is an interesting security feature, so you hide your internals IPs.

When the address pool is exhausted, if you have more internal hosts than different public address, NAT began to translate also the ports, so it must to mantain some tables to relation the internal IP and ports with the external IP and ports.

In the limit, when you only have one public address, all the conections are handle making ports reservations, and mantaining state of each comunication in the NAT machine. This last configuration is ussually called IP masquerade. When you connect to Internet via an ISP, it assigns you an unique IP address, and if you need to use several systems with the same connection, the logical choice is to use NAT or proxy servers.

There are several papers about NAT. The RFC1631 is the basic guide is you like to get a deeper knowledge about this technology.

The motivation to develop NAT is to share a common Internet connection with several machines at home. You can start ppp or slip in one interface, and the different machines in your network can be used for browsing, mail, ftp, all in the same connection.

NAT present some advantages over a direct connection to Internet, so it is a step more if someone tries to break to your systems, but it is far to be a firewall. Be carefull about security issues if you decide to implement it in a production environment. The primary goal for me developing NAT was learning.

Return to Home


Implementation

I prepared a set of patchs to the inet code, that handle NAT using one of the interfaces. This code works ONLY under Minix 2.0.2 to 2.0.4 in the 32 bit version and in Minix-VMD 1.7.0. This code does not work in Minix 16 Bits, or in previous Minix 32 versions.

The NAT code is implemented in a separate file ip_nat.c and some small modifications in ip_ioctl.c, ip_read.c, inet.c and Makefile to chain the code with inet.

Once installed the code, the natcfg command lets you control the NAT interface, enabling or disabling, it, per protocol, configuring which interface is the public or NAT, and getting status information about connections.You also can configure static mapping, so external nodes can access services in your internal network, like web servers and SMTP servers.

The Minix machine with NAT can be the routing machine for any other kind of operating system. You only need to be carefull with the configuration of the systems.

Return to Home


Configuration

After installing the files, you need to recompile the entire kernel, and boot it. After boot, the NAT code is ready, but you need to configure it for usage. 

The configuration is simple. First you need to define the IPs of the interfaces you have with ifconfig, and decide which one will be the public or NAT interface. The interface selected can not be the default. You can use NAT in a standalone machine, that only connects to Internet, but it is usefull only for security, so anyone can login in your machine because the NAT code is in the middle.

natcfg is used for the configuration. It declares into the nat code the interface as public, and makes the translation. If the interface is not configured with an IP, natcfg prints an error and end. Also it is checked that you are not trying to configure the default interface.

natcfg also allows you to have status information about NAT. It prints the table mapping, with the static and dynamic entries, and some counters about statistics that the ip_nat code saves. 

After configuring the interface for NAT, you need to define the routes for each interface, so inet code can route the packets properly. For example, you need to define a route to your internal network, and also a default route to the NAT interface for any host in internet.

The most sensible configuration is the routing table. If you misconfigure it, the packets can not be delivered and NAT will not work. Or you can bypass the NAT code using a wrong routing. You need to have an exact idea about how your configuration will be, define which routes you need, and configure them. Remember that the inet code follows the routes in the order you add them, and also checks the metric to decide which route will be tested first. Under Minix 2.0.2 the routes can not be deleted, so any mistake forces you to reboot and start again. You can get here some examples of configuration, and also some tips

natcfg lets you to add static mappings to NAT. If you allows some services to be accesed from outside, like WEB or SMTP, you can configure them. Simply you need to configure the protocol (tcp or udp), the internal IP, internal port, and public port in the NAT interface. The NAT code will translate any input packet in the NAT interface directed to the public port, to the internal IP and port declared, and route the packet using the internal routing tables.

I prepared some examples that you can check and modify to your specific configuration.

A final definition is about DNS. The DNS queries can be done directly from internal hosts to an external DNS, but each connection will use an entry in the mapping table, and create some overhead. A better aproach is to run nonamed in some internal machine, or the NAT machine, and all the DNS queries can point to it. If a query is not resolved, only this machine access the external DNS, using only one entry in the mapping table.

Return to Home


Download

You can download nat patchs version 0.4.1 from here . Read carefully the instructions in this page, and the examples before trying to configure your network. I recomend you to have a printed version of the commands man pages as a quick reference. 

Return to Home


The page's WebCounter count says that you are visitor number since

April 2000.


Copyright - Claudio Tantignone.

Last Modification: Sep 10, 2005.

1