calls masquerading, two special rule chains are used: The prerouting chain that handles packets before the router processes the packet for routing The postrouting chain that handles packets after the router processes the packet for routing The iptables command has three policies that are specific to address translation. Policies, sometimes called targets in the iptables syntax, are procedures that process packets. Several policies have been predefined for security processing, and three have been predefined for NAT processing: MASQUERADE This is used to translate an address to the address assigned to the NAT box. SNAT This is used to statically map one specific address to another specific address. DNAT This is used to dynamically map an address to the next available address in a group of addresses. Assume that the small office network attaches to a Linux router acting as a NAT box through the router’s eth0 interface. Further, assume that the Linux router connects to the outside world through its eth1 interface, and that the address assigned to that interface is the official address provided by the ISP. The following iptables command will do the job: # iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE The -t nat option tells iptables that it is working with the address translation chains. The -A option adds this rule to the POSTROUTING chain, which means that this translation will happen after the router determines how to deliver the packet. The -o eth1 option tells iptables that the rule should be applied to any packet that is heading out of the eth1 interface. (-i is used for packets coming in an interface.) The -j MASQUERADE option tells iptables that when a packet matches the conditions of having been processed for routing and of being routed out of interface eth1, iptables should jump to the MASQUERADE policy to complete processing. As noted earlier, the MASQUERADE policy converts the source address of the packet to the address assigned to the router in this case, it converts the source address to the address assigned to interface eth1. With this rule, the one official address assigned to the router can be used to connect all four of the systems on our small network to the Internet at large. Combined with the Linux routing features discussed earlier, when the NAT rule is installed, Linux completely meets the routing needs of our small office network. In Sum This chapter concludes the Internet server operations part of this book. All of the basic services needed for an Internet server have been covered: remote login, file transfer, e-mail, web service, and routing. The next chapter begins Part Three, “Departmental Server Configuration,” in which the services needed on a departmental server are examined. To begin, Chapter 8 covers the DHCP server that simplifies the configuration of desktop computers. 227
Note: If you are looking for cheapest and affordable webspace to host and run your servlet application check Astra servlet hosting services