nat table #
target extension: SNAT, DNAT, MASQUERADE, REDIRECT
- MASQUERADE
A specialized form of source NAT for connections that are assigned a temporary, changeable, dynamically assigned IP address (such as a phone dial-up connection)
- REDIRECT
A specialized form of destination NAT that redirects the packet to the local host, regardless of the address in the IP header’s destination field
It has three built-in chains:
-
The PREROUTING chain specifies destination changes to incoming packets before passing the packet to the routing function (DNAT). Changes to the destination address can be to the local host (transparent proxying, port redirection) or to a different host for host forwarding (ipmasqadm functionality, port forwarding in Linux parlance) or load sharing.
-
The OUTPUT chain specifies destination changes to locally generated outgoing pack- ets before the routing decision has been made (DNAT, REDIRECT). This is usually done to transparently redirect an outgoing packet to a local proxy, but it can also be used to port-forward to a different host.
-
The POSTROUTING chain specifies source changes to outgoing packets being routed through the box (SNAT, MASQUERADE). The changes are applied after the routing decision has been made.
From #
Linux Security: Enhancing Security with nftables and Beyond