Internal working of rules in forward chain for NAT

Question

I am trying to understand how exactly NAT works to solve another bigger problem, here is my linux box setup:

Interface eth0 connected to internet (public IP address)

eth1 connected to local network and acts as gateway (has IP 192.168.1.1 ) for all internal nodes to provide internet access.

Following iptable rules are used:

1)$iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
2)$iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
3)$iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Now I would like to understand what exactly rules 1,2 and 3 do?

Now take this example :

PC1 with IP address 192.168.1.5 and MAC address MAC1 needs to access url www.google.com, it constructs the packet like this

Assuem mac address of gateway is MAC2

source MAC | destination MAC | source ip | destination ip| payload
   MAC1           MAC2        192.168.1.5   <google ip>     <data>

Now gateway(192.168.1.1) receives this packet on interface eth1 and alters the source ip to ip address of interface eth0 and updates some table with a entry to reverse lookup when the response is received.Which rules is responsible for this operation rule1/rule 2?

And when the response is received on eth0, it alters the destination ip by looking up the table entry and drops the packet on eth1. what exactly rule3 do here?

Say an application on gateway needs to access internet and creates packet and sends over eth0, when the response is received how the packet is routed to application on the gateway instead of transmitting the packet over interface eth1 according to rule1?

Update

When sending a packet rule3 alters the source ip and it is called soruce NAT, simlarly when a reply packet is received on eth0, destination address changed, is it not destination NAT? why isn't a rule for that.?

Suppose say there is another interface eth2 which is also connected to internet with a public ip and a default route exists in the routing table to route the traffic through this device :

$ip route add default via <IP> dev eth2 scope link

iptables forward chain rules of filter table say to exit the packets over eth0 but the routing table has default route through eth2, in this case which interface is used for internet?

Is it possible to route the traffic that is forwarded from eth1(local n/w) to eth0 and the application data traffic that originate on gateway over interface eth2?

Thanks!

Answer 1

I'll re-arrange and re-quote your rules:

$iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

This rule allows the firewall to FORWARD (i.e., acts as router) to all packets entering eth1 (local) and routed to exit via eth0 (Internet)

$iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This rule performs Source NAT: It replaces the source address of exiting packets from 192.168.1.xxx to your public IP address, while at the same time recording the details of the NAT in the router's conntrack (connection tracking) table.

Because the details of the NAT is recorded, reply packets from the Internet will be checked against that table. If the reply matches a conntrack entry, the packet will experience an 'inverse NAT' (my term), i.e., replacing the destination address (remember, this is a reply!) with the original sender's address (192.168.1.xxx)

$iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

This rule allows packets that are replies to outgoing packet (e.g., the one SNAT-ed above) to be routed into the local network.

Now gateway(192.168.1.1) receives this packet on interface eth1 and alters the source ip to ip address of interface eth0 and updates some table with a entry to reverse lookup when the response is received.Which rules is responsible for this operation rule1/rule 2?

It's a combination of Rules 2 & 3 (in your original post)

Say an application on gateway needs to access internet and creates packet and sends over eth0, when the response is received how the packet is routed to application on the gateway instead of transmitting the packet over interface eth1 according to rule1?

If the gateway itself sends an outgoing packet, the packet will not match any conntrack table entry, and thus will not be 'inverse NAT-ed'.

When sending a packet rule3 alters the source ip and it is called soruce NAT, simlarly when a reply packet is received on eth0, destination address changed, is it not destination NAT? why isn't a rule for that.?

Technically, it's a DNAT. But netfilter (i.e., the packet filtering/mangling framework that's the 'engine' of iptables) is smart enough. Whenever an incoming packet is received, it's matched with netfilter's conntrack table. If the packet is a reply to an existing outgoing connection (ACK flag set, matching IP:port, matching TCP sequence number, etc), netfilter automatically performs DNAT. No need for additional rules.

Suppose say there is another interface eth2 which is also connected to internet with a public ip and a default route exists in the routing table to route the traffic through this device :

$ip route add default via <IP> dev eth2 scope link

iptables forward chain rules of filter table say to exit the packets over eth0 but the routing table has default route through eth2, in this case which interface is used for internet?

iptables do not perform routing; it acts against packets after they are routed by iproute2 (i.e., Linux's routing framework). That is why the rule's chain is called "POSTROUTING".

If the scenario is as you explained, iproute2 will make the Linux kernel to send the packets via eth2. In this case, the original rule -t nat -A POSTROUTING -o eth0 -j MASQUERADE will no longer match, and MASQUERADE/SNAT will no longer be performed.

Is it possible to route the traffic that is forwarded from eth1(local n/w) to eth0 and the application data traffic that originate on gateway over interface eth2?

Yes, but you need the help of iproute2.

First, you must create 2 new routing tables. Let's call them 100 and 102:

ip route add default via $DG_eth0 dev eth1 table 100
ip route add default via $DG_eth2 dev eth2 table 102

Next, you create Routing Policies:

# Rule #10: All packets must refer to the 'main' table
ip rule add order 10 from all  lookup main
# Rule #20: Packets entering eth1 must refer to the '100' table
ip rule add order 20 iif  eth1 lookup 100
# Rule #30: Packets from this gateway must refer to the '102' table
ip rule add order 30 iif  lo   lookup 102

Finally, you delete the default route in table main:

ip route delete default table main

The main table is important because it contains a list of all subnets around your gateway; that is why it must still be referred to in Rule #10.

I hope I'm clear enough. Feel free to ask me more questions on iptables.