Installing and configuring xt_NAT

Posted byVyacheslav Leave a comment on Installing and configuring xt_NAT

I will give an example of installing and configuring xt_NAT on Ubuntu Server 14.04 with kernel version 4.4.0-142. xt_NAT may not work on newer kernel versions. According to the developer, it should work on Linux Kernel 3.18 and 4.1. To make it work on newer versions of the kernel, you can find patches.

Let’s enable packet forwarding between interfaces, and also specify in the /etc/sysctl.conf file:

cat /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.conf.all.forwarding=1

nano /etc/sysctl.conf
net.ipv4.conf.all.forwarding=1

Switch to root user and install the necessary components:

sudo -i
apt install xtables-addons-source

Download xt_NAT:

git clone https://github.com/andrsharaev/xt_NAT.git

I also saved it here just in case.

Let’s perform the installation:

cd xt_NAT
make
make install
depmod -a

After installing xt_NAT, load the module indicating the range of IP addresses for NAT (not the client’s network):

modprobe xt_NAT nat_pool=192.168.5.2-192.168.5.254

Example of unloading a module:

modprobe -r xt_NAT

You can also transfer statistics to Netflow v5, for this we specify the collector address in “nf_dest”, for example:

modprobe xt_NAT nat_pool=192.168.5.2-192.168.5.254 nf_dest=192.168.10.10:2055

Disable conntrack for xt_NAT traffic (where 192.168.55.0/24 is the client’s network):

iptables -t raw -A PREROUTING -s 192.168.55.0/24 -j CT --notrack
iptables -t raw -A PREROUTING -d <NAT Pool Net> -j CT --notrack

Add iptables rules to use the xt_NAT module for user traffic (eth0 – uplink interface, eth1 – towards clients):

iptables -t raw -A PREROUTING -d <NAT Pool Net> -j NAT --dnat
iptables -A FORWARD -d 192.168.55.0/24 -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -s 192.168.55.0/24 -i eth1 -o eth0 -j NAT --snat

On the second network interface, which looks towards the clients, we indicate the IP address in /etc/network/interfaces, or temporarily with the command:

ifconfig eth1 inet 192.168.55.1 netmask 255.255.255.0

In the files below you can see statistics and, for example, draw graphs on it in Zabbix:
/proc/net/NAT/sessions (Proto SrcIP:SrcPort -> NatIP:NatPort)
/proc/net/NAT/users
/proc/net/NAT/statistics

See also my articles:
Ubuntu IP Masquerading (NAT)
Difference between MASQUERADE and SNAT

Leave a comment

Leave a Reply