Joe Wein
Fighting spam and scams
on the Internet

Home / Blog / About us
Spam
419/Nigeria
Online fraud
jwSpamSpy
Contact

Email Spam Filter:
jwSpamSpy
Try it for free!

Google
 

How to configure "full cone" NAT using iptables

Problem: A Linux-based machine with two network interfaces can be used as a router. In order to support peer to peer application it's desirable to support "full cone" Network Address Translation. Most Linux-based routers operate as "port restricted NAT", which is less flexible.

Explanation:
With full code NAT, once the router has sent a packet from an external IP address / port combintion, incoming packets addressed to that address and port from any source address and port will be forwarded to the local source of the initial packet. It is defined by RFC3489 as follows:

Full Cone: A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address.

Solution:
On the netfilter mailinglist, Pedro Gonçalves suggested the following: Using iptables, I set all policies to "ACCEPT" and I was able to setup two kinds of NAT:
(192.168.2.170 is my "public" address and 10.0.0.1 is my "private" address

/-"Full Cone NAT", with the following rules:/
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 10.0.0.1

/-"Port Restricted Cone NAT", with just a single rule:/
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170/

Further reading:
openwrt.org Forum thread
Setup of different types of NAT