Hello every one. I am having problem in setting up symmetric NAT using
IPTABLES
Actually I am working on SIP application. SIP has the problem on NATes
networks. STUN is one of the solutions. I have embedded STUN client
functionality inside SIP application. Now i have to test the
application. There are four scenerios of NATed network:
The following chart shows combinations of NATs at each endpoint with
the current NAT type definitions in STUN. The combinations are
classified into 4 groups: Class I, II, III and IV.
+----------+-----+-----+-----+-----+-----+
|\ EP-R| | | | | |
| -------- |Open | F | P | PR | SYM |
|EP-S \| | | | | |
|----------+-----+-----+-----+-----+-----+
| Open | | | |
|----------+ | | |
| F | | |(III)|
|----------+( I )| ( II ) | |
| P | | | |
|----------+ | +-----+
| PR | | | |
|----------+ | +-----+ |
| SYM | | | (IV) |
+----------+-----------------+-----------+
Note:
EP-S: Sending endpoint.
EP-R: Receiving endpoint.
(In full-duplex, both EP-a and EP-b in Figure 3.1
will have both EP-S and EP-R)
Open: Open to public network (no NAT)
F : Full-cone NAT
R : Restricted-cone NAT
PR : Port restricted-cone NAT
For setting up a test environment, I decided to setup as below:
192.168.0.2
+----------+
| ClientA |
+----------+
|
|
| eth1 eth0
| 192.168.0.1 | 172.25.25.41
+-------------|-------------+
| NAT1 |
+-------------|-------------+
|
|
|
172.25.25.42 |
+---------------------------+
|Proxy\Registrar,STUN Server|
+---------------------------+
|
|
eth1 eth0 |
10.0.0.1 |172.25.25.43 |
+-------------|-------------+
| NAT2 |
+-------------|-------------+
|
|
|
| 10.0.0.2
+----------+
| ClientB |
+----------+
172.25.25.X ---- LAN (External Network for client A and B)
192.168.0.X ---- Private Network 1 (Internal Network for Client A)
10.0.0.X ---- Private Network 2 (Internal Network for Client B)
ClientA and ClientB are sip clients with STUN functionality embedded.
NAT1 and NAT2 are internal LAN NAT. I mean for testing purpose, i have
used two machines with two network cards.
below is the configuration of NAT1 using iptables. Also I am
configuring it for UDP protocol as SIP application is using UDP for
both signaling and media streaming.
> iptables -A PREROUTING -t nat -d 172.25.25.41 -i eth0 -j DNAT --to 192.168.0.2
This tells NAT1 to change the destination of the packet recieved on
eth0 to clientA address whenever the destination is eth0 (172.25.25.41)
> iptables -A FORWARD -d 192.168.0.2 -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
For forwarding the packets from eth1 and to remember its state
> iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to
> 172.25.25.41:7070-7074
to change the source address of the packet to a pool of address
before routing to eth0. My intention was to make it symmetric.
> echo "1" > /proc/sys/net/ipv4/ip_forward
to set the ip_forward table ON
The above commands I used for making NAT1 symmetric, For making it
port restricted, I change the POSTROUTING command above and make it
like this:
> iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to
> 172.25.25.41:8080
Here NAT1 will change the source address of ClientA packets to same
address for routing. I am using it for testing purpose so it will work
as long as only one client exists in Private Network 1.
For making NAT1 restricted, I change the above POSTROUTING command
and make it like this:
> iptables -A POSTROUTING -t nat -p udp -s 192.168.0.2 -o eth0 -j SNAT --to
> 172.25.25.41
For making it FULL CONE NAT, i have to think about it.
So what I want is a test environment for my SIP application. I can't
use application Gateway, as only NAT will work here because after
testing here, i will try to test it on some real environment. I wants
IPTABLE commands that can do the above task. Please suggest some thing
if you have some better option in your mind. Like If there is some
application that can setup NAT as mentioned above or if I can test my
application on some public STUN and proxy servers on the Internet.
ALso, if you think this can be performed by some utility on some
different OS like Windows, pleass suggest me.
regards,
Asif
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
