How to setup a NAT server?

How to setup an NAT server?


Table of Contents

  • What is NAT?
  • How to setup NAT host?
  • a shell script from vbird's book

1 What is NAT?

NAT stands for Network Address Transition, which is the basic function of gateway host. I try to hack Bluetooth tethering module in android this week, it include the Bluetooth Pan profile and the NAT setup process, which means in order to implement the Bluetooth tethering, first, two devices must be connected by Bluetooth Pan profile, and then the server part device acted as gateway host to supply the network forward service.

In other words, after Bluetooth Pan profile connected, the server must to setup its NAT rules to forward the IP packages. So how to setup NAT rules?

2 How to setup NAT host?

My memory is still fresh that at the start of my Linux journey, I setup my Linux desktop as an NAT host to provide Internet services for my lab's classmates. During the days as a programmer, I once did a job to hacking android's netd daemon to provide route tables setup function.

As a conclusion, there are following three steps to setup the NAT rules. The hardest part is maybe to understand iptables rules.
  • Step one: open up the kernel's IP forward function.
  • Step two: setup iptables rules.
  • Step three: For the NAT host, maybe you should check the route tables.

3 a shell script  from vbird's book

#!/bin/bash
#made by vbird
# please input the right net device name
EXTIF="ppp0"              # external net interface, used to connected to outside.
INIF="eth0"             # internel LAN net interface
INNET="192.168.1.0/24" # internal LAN net cfg
export EXTIF INIF INNET
#######
## Step 1: Basic net settings and clean iptable rules
# 1. setup net interface 
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/log_martians; do
      echo "1" > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
      echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do
      echo "0" > $i
done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do
      echo "0" > $i
done
## 2. cleanup iptable rules
PATH=/sbin:/usr/sbin:/bin:/usr/bin; export PATH
iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
## Setup 2: setup iptable rules
# 1. insmod the necessary kernel modules
modules="ip_tables iptable_nat ip_nat_ftp ip_nat_irc ip_conntrack
ip_conntrack_ftp ip_conntrack_irc"
for mod in $modules
do
      testmod=`lsmod | grep "${mod} "`
      if [ "$testmod" == "" ]; then
            modprobe $mod
      fi
done
## 2. clean up NAT table
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# 3. setup as gateway host 
if [ "$INIF" != "" ]; then
   iptables -A INPUT -i $INIF -j ACCEPT
   echo "1" > /proc/sys/net/ipv4/ip_forward
   if [ "$INNET" != "" ]; then
     for innet in $INNET
     do
      iptables -t nat -A POSTROUTING -s $innet -o $EXTIF -j MASQUERADE
     done
   fi
fi
#### If your MSN cannot connected, or your access denied by some website
#### that maybe the problem of MTU
# iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss \
#         --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
# 4. internel service setting
# iptables -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 \
#        -j DNAT --to 192.168.1.210:80

Comments

Post a Comment

Popular posts from this blog

How Bluetooth LE works? -- Link Layer

Image
How Bluetooth LE works? - Link layer Table of Contents 1 Bluetooth LE system architecture 2 Bluetooth LE Physical layer 3 Bluetooth LE Link Layer states 4 Bluetooth LE Link Layer packets 1 Bluetooth LE system architecture This is the first post and hopefully a series of upcoming postings about Bluetooth Low Energy. Above figure is the protocol stack of a whole Bluetooth LE system. The Bluetooth LE is one part of Bluetooth v4.0 specification, it was designed not to pursue high transmission speed but for lower energy consumption. So the Bluetooth LE products can be powered by a button-cell battery for years. How did it do that? This article is a review of Robin Heydon's excellent book – Bluetooth Low Energy, the developer's handbook. Bluetooth LE is completely redesigned of classic Bluetooth protocol, It seems that both the Bluetooth LE and classic Bluetooth has the same architecture from above figure, but actually they are so different inside, an...
Read more

Bluedroid stack in android

Image
Bluedroid stack in android Table of Contents Bluetooth stack in android Bluedroid .VS. Bluez Porting guide of Bluedroid stack 1 Bluetooth stack in android From Android 4.2, google use Bluedroid stack as its default Bluetooth host stack, before android 4.2, its default Bluetooth host stack was Bluez, which is also the Linux distribution's default stack. So why google changed its Bluetooth stack? The reason is maybe that Bluez stack was designed for the desktop environment, so in order to port Bluez into android, android must solve some dependency issues, like porting Dbus, Linux desktop's default IPC, into android. So there are at least five processes to power Bluetooth before android 4.2, they are systems, Bluetooth APP, Bluez, hciattach, and Dbus. The damn thing is that there are bugs between them, so Bluetooth stack is the weakest part in the android system before android 4.2, yeah, it is the usual reason that android system corrupted. So, what's t...
Read more

Network programming in elisp

  Network API in elisp Table of Contents 1 Introduction 2 A example 3 Http server implemented by elisp 1 Introduction Emacs is not just an editor, Yes, that's true. Emacs lisp can do network connection programming by its network API. But there is something difference with other kinds of programming language. First, elisp do not support multi-thread, pretty cool, huh!! Yeh, Multi-threads programming is a horrible venture for you, right! Second, There is no socket similarly conception in elisp, and elisp provide network programming ability as processes. Elisp can open a network connection by function – open-network-stream .  It can make network connection server listen a special port by function - make-network-process . Both of those function return a process object. Then you can communicate with the process by process's API. 2 A example I write a snippet code to figure out How to use it. ( require ' cl ) ( defvar my-network-client-b...
Read more