====== Сервис NAT ======

  * [[http://stackoff.ru/ip/|Определение внутреннего IP-адреса за NAT и VPN через WebRTC]]
===== Трансляция на основе адреса отправителя =====

==== Debian/Ubuntu (iptables) ====

=== Заполнение таблицы nat (eth1 - внешний интерфейс) ===
<code>
debian11_12# apt install iptables

root@gate:~# apt install conntrack

root@gate:~# cat nat.sh
</code><code>
iptables -t nat --flush

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.X.0/24 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.100+X.0/24 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.X.0/24 -j SNAT --to-source 172.16.1.X

conntrack -F
</code><code>
root@gate:~# sh nat.sh
</code>

=== Просмотр таблицы nat ===
<code>
root@gate:~# iptables -t nat -n -L -v --line-numbers

root@gate:~# conntrack -L
</code>

=== Управление состоянием iptables ===

== Вариант 1 ==

== Сохранение состояния iptables ==
<code>
root@gate:~# iptables-save > /etc/iptables.rules
</code>

== Восстановление состояния iptables ==
<code>
root@gate:~# iptables-restore < /etc/iptables.rules
</code>

== Восстановление состояния iptables при загрузке ==
<code>
root@gate:~# cat /etc/network/interfaces
</code><code>
...
auto eth1
iface eth1 inet static
  pre-up iptables-restore < /etc/iptables.rules
...
</code>

== Вариант 2 ==
<code>
# apt install iptables-persistent

# netfilter-persistent save
</code>

==== nftables ====

  * [[https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)|Performing Network Address Translation (NAT)]]
  * https://wiki.debian.org/nftables

<code>
gate### apt install nftables

gate# man nft

gate# nft add table nat

gate# nft 'add chain nat postrouting { type nat hook postrouting priority srcnat ; }'

gate# nft add rule nat postrouting ip saddr 192.168.X.0/24 oif eth1 snat to 172.16.1.X
gate# nft add rule nat postrouting ip saddr 192.168.100+X.0/24 oif eth1 snat to 172.16.1.X

gate# nft list ruleset

gate# nft flush ruleset

gate# systemctl enable nftables.service --now

gate# cat /etc/nftables.conf
</code><code>
...
table ip nat {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                ip saddr 192.168.100+X.0/24 oif "eth1" snat to 172.16.1.X
        }
}
</code><code>
gate# systemctl reload nftables.service
</code>

==== CentOS (firewalld) ====

  * [[https://www.mjhall.org/centos-7-firewalld-nat-router.html|CentOS 7 firewalld NAT router]]
==== FreeBSD ====

=== PF ===
<code>
[gate:~] # cat /etc/pf.conf
</code><code>
nat on em1 from 192.168.X/24 to any -> (em1)
# nat on em1 from 192.168.X/24 to any -> (em1) static-port
# nat on em1 from 192.168.X/24 to any -> 172.16.1.X
</code><code>
[gate:~] # cat /etc/rc.conf
</code><code>
...
pf_enable=yes
</code><code>
[gate:~] # service pf check

[gate:~] # service pf start

[gate:~] # pfctl -vs nat
</code>

===== Трансляция портов сервисов =====

==== Debian/Ubuntu (iptables) ====

<code>
root@gate:~# cat nat.sh
</code><code>
iptables -t nat --flush

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.X.0/24 -j MASQUERADE

#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.100+X.0/24 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o eth1 -s 192.168.X.10 -j MASQUERADE

iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 2222 -j DNAT --to-destination 192.168.X.10:22
iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 53 -j DNAT --to-destination 192.168.X.10:53
iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 53 -j DNAT --to-destination 192.168.X.10:53
#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 25 -j DNAT --to-destination 192.168.X.10:25
#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 465 -j DNAT --to-destination 192.168.X.10:465
#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 587 -j DNAT --to-destination 192.168.X.10:587
#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 143 -j DNAT --to-destination 192.168.X.10:143
#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 80 -j DNAT --to-destination 192.168.X.10:80
#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 5222 -j DNAT --to-destination 192.168.X.10:5222


#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 5060 -j DNAT --to-destination 192.168.X.10:5060
#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p tcp --dport 5061 -j DNAT --to-destination 192.168.X.10:5061
#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp -m multiport --dport 10000:20000 -j DNAT --to-destination 192.168.X.10
#iptables -t nat -A PREROUTING -i eth1 --destination 172.16.1.X -p udp --dport 4569 -j DNAT --to-destination 192.168.X.10:4569

conntrack -F
</code><code>
root@gate:~# sh nat.sh

root@gate:~# iptables-save > /etc/iptables.rules
</code>

==== FreeBSD (pf) ====
<code>
[gate:~] # cat /etc/pf.conf
</code><code>
ext_ip="172.16.1.X"
ext_if="em1"
corp_net="192.168.X/24"
#pppoe_corp_net="192.168.100+X/24"

ssh_server="192.168.X.10"
dns_server="192.168.X.10"
www_server="192.168.X.10"
mail_server="192.168.X.10"
asterisk_server="192.168.X.10"

#nat on $ext_if proto udp from $asterisk_server to any -> ($ext_if) static-port
nat on $ext_if from $corp_net to any -> ($ext_if)

#nat on $ext_if from $pppoe_corp_net to any -> ($ext_if)
#nat on $ext_if from $dns_server to any -> ($ext_if)

rdr on $ext_if proto tcp from any to $ext_ip port 2222 -> $ssh_server port 22
#rdr on $ext_if proto tcp from any to $ext_ip port 25 -> $mail_server port 25
rdr on $ext_if proto {udp,tcp} from any to $ext_ip port 53 -> $dns_server port 53
rdr on $ext_if proto tcp from any to $ext_ip port 80 -> $www_server port 80
rdr on $ext_if proto tcp from any to $ext_ip port 143 -> $mail_server port 143

#rdr on $ext_if proto udp from any to $ext_ip port 5060 -> $asterisk_server port 5060
#rdr on $ext_if proto udp from any to $ext_ip port 10000:20000 -> $asterisk_server port 10000:*
#rdr on $ext_if proto udp from any to $ext_ip port 4569 -> $asterisk_server port 4569

# set skip on lo0

# block in all
...
</code><code>
[gate:/etc] # /etc/rc.d/pf check

[gate:/etc] # /etc/rc.d/pf reload
</code>

===== Поддержка протоколов приложений =====

==== tftp ====

  * [[https://unix.stackexchange.com/questions/579508/iptables-rules-to-forward-tftp-via-nat|iptables rules to forward tftp via NAT]]


===== Мониторинг соединений =====

==== Ubuntu (iptables) ====
<code>
root@gate:~# conntrack -L

root@gate:~# iptstate

root@gate:~# conntrack -F
</code>

==== FreeBSD (pf) ====
<code>
[gate:~] # pfctl -vs state

[gate:~] # pkg_add -r pftop

[gate:~] # rehash

[gate:~] # pftop

[gate:~] # pfctl -F state
</code>



===== Дополнительные материалы =====

==== Ubuntu (iptables) ====

=== Трансляция внешних адресов во внутренние один в один ===
<code>
iptables -t nat --flush

iptables -t nat -A PREROUTING -d 192.168.6.N -j DNAT --to-destination 192.168.106.N

iptables -t nat -A POSTROUTING -s 192.168.106.N -j SNAT --to-source 192.168.6.N
</code>
==== ipfw natd ====

=== FreeBSD ===
<code>
[gate:~] # kldload ipdivert 

[gate:~] # natd -interface le1
или
[gate:~] # natd -alias_address 172.16.1.X

[gate:~] # sysctl net.inet.ip.fw.enable=0

[gate:~] # ipfw -f flush
[gate:~] # ipfw add divert natd all from 192.168.X.0/24 to any via le1
[gate:~] # ipfw add divert natd all from any to 172.16.1.X via le1
[gate:~] # ipfw add pass all from any to any

[gate:~] # sysctl net.inet.ip.fw.enable=1
</code>

=== MacOSX ===
<code>
natd -interface en0

route add 192.168.6.0/24 172.16.1.6

sysctl -w net.inet.ip.forwarding=1

natd -alias_address 195.19.32.14

ipfw -f flush
ipfw add pass all from 172.16.1.254 to any
ipfw add divert natd all from 172.16.1.0/24 to any via en0
ipfw add divert natd all from 192.168.6.0/24 to any via en0
ipfw add divert natd all from any to 195.19.32.14 via en0
ipfw add pass all from any to any
</code>
==== nat pptp ====

=== FreeBSD (pf) ===

[[http://www.propheta.ru/2009/11/pptp-gre-pf.html]]

<code>
# cat /etc/rc.conf
</code><code>
no nat on vlan2 proto gre all
no nat on vlan2 proto tcp from any to any port = pptp
no nat on vlan2 proto tcp from any port = pptp to any
;...
pass quick on $external_if inet proto tcp from any to any port 1723
pass quick on $external_if inet proto tcp from any port 1723 to any
pass quick on $external_if inet proto gre from any to any
</code><code>
# cat /etc/ipfw.script
</code><code>
#!/bin/sh
/sbin/ipfw -q /dev/stdin <<RULES
flush
nat 10 config if vlan2
add 10 nat 10 gre from any to any
add 11 nat 10 tcp from any to any dst-port pptp
add 12 nat 10 tcp from any pptp to any
add allow all from any to any
RULES
</code><code>
# chmod +x /etc/ipfw.script

# cat /etc/rc.conf
</code><code>
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_script="/etc/ipfw.script"
</code>