6.9. NAT with kernel 2.2 or higher

The IP network address translation, NAT, is a replacement that has made the features of GNU/Linux IP Masquerade obsolete and that provides new features to the service. One of the improvements included in the TCP/IP stack of GNU/Linux 2.2 is that NAT is integrated into the kernel. In order to use it, we have to compile the kernel with:

CONFIG_IP_ADVANCED_ROUTER, CONFIG_IP_MULTIPLE_TABLES and CONFIG_IP_ROUTE_NAT.

And if we need comprehensive control of the NAT rules (for example, to activate the firewall we must also have

CONFIG_IP_FIREWALL and CONFIG_IP_ROUTE_FWMARK.

In order to work with these new features, we need to use the ip program (which can be obtained at ftp://ftp.inr.ac.ru/ip_routing/). Then, to translate the incoming datagram addresses, we can use:

ip route add nat <extaddr>[/<masklen>] via <intaddr>

This will translate the destination address of an incoming packet addressed to ext-addr (the address that is visible externally from Internet) to int-addr (the address of the internal network through the gateway/firewall). The packet is routed in accordance with the local route table. Single or block addresses can be translated. For example:

ip route add nat 240.0.11.34 via 192.109.0.2
ip route add nat 240.0.11.32/27 via 192.109.0.0

The first makes the internal address 192.109.0.2 accessible as 240.0.11.34. The second remaps the 192.109.0.0/31 block to 240.0.11.32/63. In this case, we have used, as an example, translations to class D and E addresses, such as 240.0.*.* so as not to use a public address. The user must replace these addresses (240.0.11.34 and 240.0.11.3263) for the corresponding public addresses to which they wish to translate. [Ran05]