7.3.2. Source Address Translation

Using NAT to translate private IP addresses to public, and vice versa, is often called "masquerading". When configured this way, the firewall rewrites the source IP address of each packet sent by internal machines to the Internet, replacing the private IP address with the address of its external interface.

In Firewall Builder, this type of NAT rule is composed as shown in Rule 1 in Figure 7.12.

In this rule, objects representing internal networks are placed in Original Src and the firewall's outside interface object is placed in Translated Src, indicating that we want the source address of the packets to be translated. As before, we do not need to worry about reply packets, because the underlying firewall software keeps track of translations done for all the connections opened through the firewall and rewrites addresses in all reply packets automatically.

In Figure 7.12, Rule 1 uses the firewall interface object in the Translated Src, which means the source address of the packet will be substituted with the address of firewall outside interface. If there is more than one external interface, the decision of which interface to use is made by the firewall's routing table.

One of the consequences of this design is that rule #1 on Figure 7.12 provides translation for packets coming from internal subnets going out to the Internet.

Note

Interface object can be used in the NAT rules even if the address of this interface is obtained dynamically and is not known beforehand.

Figure 7.13. Translations done to packets going in different directions: (A) when firewall object is used in TSrc in the NAT rule; (B) when interface eth1 is used in TSrc in the NAT rule; (C) when host object with address 192.0.2.50 is used in TSrc in the NAT rule

Translations done to packets going in different directions: (A) when firewall object is used in TSrc in the NAT rule; (B) when interface eth1 is used in TSrc in the NAT rule; (C) when host object with address 192.0.2.50 is used in TSrc in the NAT rule

7.3.2.1. Examples of Source Address Translation Rules

This section demonstrates examples of NAT rules that manipulate the source address and ports of packets.

7.3.2.1.1. Basic Source Address Translation Rule

Source address translation is useful when you need to let machines using private address space (for example, as defined in RFC 1918) access the Internet. The firewall manipulates the source address of IP packets to make them appear to come from one of the public addresses assigned to the firewall instead of coming from the actual, private address on the internal network.

In the following examples we will use a firewall object configured as follows:

Figure 7.14. 


The external interface of the firewall is eth0, it has a static IP address 192.0.2.1 (this is an example address, normally external interface would have a publicly routable address).

The simplest source address translation rule looks like this:

Figure 7.15. 


We put the interface of the firewall into Translated Src and an object representing the internal network in the Original Src element of the rule. This tells the firewall to replace the source address of packets that match the "Original" side of the rule with the address of the interface eth0.

This rule translates into the following simple iptables command:


# Rule 0 (NAT)
# 
$IPTABLES -t nat -A POSTROUTING -o eth0  -s 172.16.22.0/24  \
    -j SNAT --to-source 192.0.2.1 

        

Note that Firewall Builder uses the chain POSTROUTING for the source address translation rules. It will use PREROUTING for the destination translation rules.

For PF, Firewall Builder uses nat rule:


# Rule  0 (NAT)
# 
nat on en0 proto {tcp udp icmp} from 172.16.22.0/24 to any -> 192.0.2.1 

  

Finally, for PIX, Firewall Builder knows to use global pool in combination with the "nat" command and automatically determines which interfaces to associate global and nat commands with:


! Rule  0 (NAT)
! 
global (outside) 1 interface
access-list id43442X30286.0 permit ip 172.16.22.0 255.255.255.0  any 
nat (inside) 1 access-list id43442X30286.0 tcp 0 0

  

Note that the generated PIX configuration has been optimized and the "global" command takes address from the interface "outside" regardless of how this address is assigned, statically or dynamically.

7.3.2.1.2. Source Address Translation Using Interface with Dynamic Address

The generated configurations in the previous examples used the IP address of the external interface for translation. Let's see what configuration Firewall Builder will produce if the external interface has a dynamic address that is not known at the time when configuration is generated.

Figure 7.16. 


The NAT rule looks exactly the same as in examples above: we still put interface eth0 in Translated Src even though its address is unknown.

iptables uses target MASQUERADE when the source NAT is requested with a dynamic interface. Firewall Builder generates the following command:


# Rule 0 (NAT)
# 
$IPTABLES -t nat -A POSTROUTING -o eth0  -s 172.16.22.0/24 -j MASQUERADE  

  

PF supports special syntax for the dynamic interface, (en0), which makes it take the address of the interface automatically:


# Rule  0 (NAT)
# 
nat on en0 proto {tcp udp icmp} from 172.16.22.0/24 to any -> (en0) 

                

There is no difference in the generated PIX configuration because fwbuilder optimizes it and uses the "global (outside) 1 interface" command which takes the address from the outside interface regardless of whether the address is assigned statically or dynamically.

7.3.2.1.3. Port Translation

Firewall Builder can generate configurations for the NAT rules that manipulate not only addresses, but also ports and port ranges. Consider this hypothetical example where we want to squeeze a source port range from the whole unprivileged range 1024 - 65535 to the rather limited range 10000 - 20000 on all connections from internal network to the server on the DMZ:

Figure 7.17. 


TCP Service object "sport range 10000-20000" is defined as follows:

Figure 7.18. 


For iptables, Firewall Builder generates the following command for this rule:


# Rule 0 (NAT)
# 
$IPTABLES -t nat -A POSTROUTING -o eth+ -p tcp -m tcp  -s 172.16.22.0/24 \
    --sport 1024:65535  -d 192.168.2.10 -j SNAT --to-source :10000-20000 

  

This rule matches source port range "1024-65535" and original destination address 192.168.2.10 and only translates source ports to the range 10000-20000. Firewall Builder generated a SNAT rule because the object in the Translated Source requested a change in the source port range. If this object had zeros in the source port range but defined some non-zero destination port range, the program would have generated a DNAT rule to translate destination ports.

7.3.2.1.4. Load Balancing NAT Rules

Many firewall platforms can use NAT to perform simple load balancing of outgoing sessions across a pool of IP addresses. To set this up in Firewall Builder, we start with an address range object:

Figure 7.19. 


We then use it in the "Translated Source" of the NAT rule:

Figure 7.20. 


Here is what we get for the iptables firewall:


# Rule 0 (NAT)
# 
$IPTABLES -t nat -A POSTROUTING -o eth+  -s 172.16.22.0/24 \
    -j SNAT --to-source 192.0.2.10-192.0.2.20 

        

In case of PIX, fwbuilder builds complex global pool to reflect requested address range:


! Rule  0 (NAT)
! 
global (outside) 1 192.0.2.10-192.0.2.20 netmask 255.255.255.0
access-list id54756X30286.0 permit ip 172.16.22.0 255.255.255.0  any 
nat (inside) 1 access-list id54756X30286.0 tcp 0 0

                

For PF, compiler converted range 192.0.2.10-192.0.2.20 to the minimal set of subnets and produced the following configuration line:


# Rule  0 (NAT)
# 
nat proto {tcp udp icmp} from 172.16.22.0/24 to any -> \
    { 192.0.2.10/31 , 192.0.2.12/30 , 192.0.2.16/30 , 192.0.2.20 } 

        

It is possible to use a network object of smaller size in Translated Source which is equivalent to using a small address range:

Figure 7.21. 


We can use it in the rule just like the range object:

Figure 7.22. 


This yields for PF:


# Rule  0 (NAT)
# 
nat proto {tcp udp icmp} from 172.16.22.0/24 to any -> 192.0.2.0/27

        

Unfortunately, the smaller network object in Translated Source is not supported for iptables because in iptables, SNAT target can only accept a single IP address or a range of addresses, but not a subnet specification.

PF supports different modes of load balancing for rules like this. To add configuration parameters that control this, open the NAT rule options dialog by double-clicking in the "Options" column of the NAT rule:

Figure 7.23. 


When the "source-hash" option is checked, the generated command becomes


# Rule  0 (NAT)
# 
nat proto {tcp udp icmp} from 172.16.22.0/24 to any -> 192.0.2.0/27 source-hash 

        
 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.