next up previous contents
Next: How to only translate Up: Route NAT status Previous: What it is not:   Contents

How it works.

Some part of the address space is reserved for dummy addresses which will look for all the world like some host addresses inside your network. No other hosts may use these addresses, however other routers may also be configured to translate them. 1cm NB. A great advantage of route NAT is that it may be used not only in stub networks but in environments with arbitrarily complicated structure. It does not firewall, it forwards.

These addresses are selected by the ip route command (sec.7.1, p.[*]). F.e.

  ip route add nat 192.203.80.144 via 193.233.7.83
states that the single address 192.203.80.144 is a dummy NAT address. For all the world it looks like a host address inside our network. For neighbouring hosts and routers it looks like the local address of the translating router. The router answers ARP for it, advertises this address as routed via it, et al. When the router receives a packet destined for 192.203.80.144, it replaces this address with 193.233.7.83 which is the address of some real host and forwards the packet. If you need to remap blocks of addresses, you may use a command like:
  ip route add nat 192.203.80.192/26 via 193.233.7.64
This command will map a block of 63 addresses 192.203.80.192-255 to 193.233.7.64-127.

When an internal host (193.233.7.83 in the example above) sends something to the outer world and these packets are forwarded by our router, it should translate the source address 193.233.7.83 into 192.203.80.144. This task is solved by setting a special policy rule (sec.8.1, p.[*]):

  ip rule add prio 320 from 193.233.7.83 nat 192.203.80.144
This rule says that the source address 193.233.7.83 should be translated into 192.203.80.144 before forwarding. It is important that the address after the nat keyword is some NAT address, declared by ip route add nat. If it is just a random address the router will not map to it. 1cm NB. The exception is when the address is a local address of this router (or 0.0.0.0) and masquerading is configured in the linux-2.2 kernel. In this case the router will masquerade the packets as this address. If 0.0.0.0 is selected, the result is equivalent to one obtained with firewalling rules. Otherwise, you have the way to order Linux to masquerade to this fixed address. NAT mechanism used in linux-2.4 is more flexible than masquerading, so that this feature has lost meaning and disabled.

If the network has non-trivial internal structure, it is useful and even necessary to add rules disabling translation when a packet does not leave this network. Let us return to the example from sec.8.2 (p.[*]).

300:	from 193.233.7.83 to 193.233.7.0/24 lookup main
310:	from 193.233.7.83 to 192.203.80.0/24 lookup main
320:	from 193.233.7.83 lookup inr.ruhep map-to 192.203.80.144
This block of rules causes normal forwarding when packets from 193.233.7.83 do not leave networks 193.233.7/24 and 192.203.80/24. Also, if the inr.ruhep table does not contain a route to the destination (which means that the routing domain owning addresses from 192.203.80/24 is dead), no translation will occur. Otherwise, the packets are translated.


next up previous contents
Next: How to only translate Up: Route NAT status Previous: What it is not:   Contents
Martin A. Brown 2003-03-14