The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
Network Address Translation (NAT) assigns a public address to a computer or a group of computers inside a private network with a different address scheme. The public IP address masquerades all requests as going to one server rather than several servers. NAT is useful for limiting the number of public IP addresses that an organization must finance, and for providing extra security by hiding the details of internal networks.
The netfilter kernel subsystem provides the
nat table to implement NAT in addition to its
tables for packet filtering. The kernel consults the
nat table whenever it handles a packet that
creates a new incoming or outgoing connection.
If your want a system to be able to route packets between two of its network interfaces, you must turn on IP forwarding:
# echo 1 > /proc/sys/net/ipv4/ip_forwardThe NAT table includes the following built-in rule chains:
-
PREROUTING Handles packets arriving from external networks.
-
OUTPUT Handles packets generated on the host system before sending them externally.
-
POSTROUTING Handles packets arriving from local systems before sending them externally.
The NAT table has the following targets that can be used with the rule chains:
-
DNAT Alters the destination IP address and port of an incoming packet to route it to a different host.
-
SNAT Alters the source IP address and port on an outgoing packet so that it appears to come from a different host.
-
MASQUERADE Masks the private IP address of a node with the external IP address of the firewall or gateway router.
The following example specifies that NAT should use the
PREROUTING chain to forward incoming HTTP
requests on the eth0 interface to port 8080 of
the dedicated HTTP server 192.168.1.100. The rule changes the
destination address and port of the packet.
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80\-j DNAT --to 192.168.1.100:8080
The following example allows nodes on the LAN with private IP addresses to communicate with external public networks:
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
This rule makes requests from internal systems appear to originate
from the IP address of the firewall’s external interface
(eth1).
You can also use the Firewall Configuration GUI (system-config-firewall) to configure simple masquerading and port forwarding.
For more information, see the iptables(8)
manual page.