How to modify fedora's NAT type?

80mail · 07-07-2005, 08:26 AM

My OS is fedora3. I use the OS to be a NAT Server. I find the NAT type is symmetric cone. How to modify its NAT type. I want a full cone. Thanks for any idea.

Following is my NAT¡¯s shell script:
Echo "1" > /proc/sys/net/ipv4/ip_forward
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
/sbin/iptables -Z -t nat
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -P POSTROUTING ACCEPT
/sbin/iptables -t nat -P OUTPUT ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.0/24 -j MASQUERADE

fr_laz · 07-07-2005, 08:39 AM

Hi,

what do you need exactly? If you want that every single host on your LAN has its own public IP, then stop using masquerading and use the following command instead:
iptables -t nat -A POSTROUTING -s $PRIVATE_IP_HOST1 -o ppp0 -j SNAT --to-source $PUBLIC_IP_HOST1

if you want to give access to your internal machines from outside your network, use this:
iptables -t nat -A PREROUTING -d $PUBLIC_IP -i ppp0 -j DNAT --to-dest $PRIVATE_IP

in both the command lines you can add -p tcp/udp options and --dport/sport so as to limit the way the translation is applied (that's policy nat)
you can also use the --to-dest $IP:$PORT so as to do some port redirection.

hope it answers your question!

demian · 07-07-2005, 08:46 AM

netfilter does symmetric NAT. Nothing else. If you want full cone your only option if you want to keep using iptables is to manually set up a translation table with all your internal and external ip addresses.

80mail · 07-07-2005, 09:11 AM

Thanks for the replies. I use some P2P communication softs in the LAN. So symmetric nat does not suit my application. Besides setting up a translation table, can I make a real Full cone or Partial/Restricted Cone instead of symmetric cone? thanks for any idea.

sanbabba · 09-06-2006, 10:28 AM

Quote:

Originally Posted by demian

netfilter does symmetric NAT. Nothing else. If you want full cone your only option if you want to keep using iptables is to manually set up a translation table with all your internal and external ip addresses.

Please send me the SYMMETRIC NAT configuration using netfilter

Honor · 11-21-2006, 10:35 AM

I use WinSTUN tool to test my Linux NAT Type, but it shows "Port Restricted". What tool do you use to test NAT Type?

UhhMaybe · 05-19-2007, 01:22 AM

http://linux-ip.net/html/nat-stateless.html try this for reading and/or tools and NAT output.This is for general discussion...http://en.wikipedia.org/wiki/Iptables It stongly directs to the advantages of "iptables". http://tldp.org/HOWTO/HOWTO-INDEX/howtos.html for more about iptables, NAT and tracking rules or tracking packets. Good luck.