The Linux kernel has the built-in ability to filter packets, allowing some of them to be received by or pass through the system while stopping others. The kernel’s netfilter has three built-in tables or rules lists. They are as follows:
Table | Description |
---|---|
filter |
The default table for handling network packets. |
nat |
Used to alter packets that create a new connection and used for Network Address Translation (NAT). |
mangle |
Used for specific types of packet alteration. |
Each table has a group of built-in chains which correspond to the actions performed on the packet by the netfilter.
Table | Chains |
---|---|
filter |
|
nat |
|
mangle |
|
Kubernetes heavily depend on netfilter, below is a sample for simulate Kubernetes ClusterIP service.
iptables -t nat -N TTCP-SERVICES
iptables -t nat -A PREROUTING -j TTCP-SERVICES
iptables -t nat -N TTCP-MARK-MASQ
iptables -t nat -A TTCP-MARK-MASQ -j MARK --or-mark 0x4000
iptables -t nat -N TTCP-SVC-VS
iptables -t nat -A TTCP-SERVICES -p tcp --dport 5001 -d 10.1.10.201 -j TTCP-SVC-VS
iptables -t nat -A TTCP-SVC-VS -p tcp --dport 5001 -d 10.1.10.201 ! -s 10.1.20.0/24 -j TTCP-MARK-MASQ
iptables -t nat -N TTCP-SEP-01
iptables -t nat -A TTCP-SEP-01 -s 10.1.20.203 -j TTCP-MARK-MASQ
iptables -t nat -A TTCP-SEP-01 -p tcp -j DNAT --to-destination 10.1.20.203:5001
iptables -t nat -N TTCP-SEP-02
iptables -t nat -A TTCP-SEP-02 -s 10.1.20.204 -j TTCP-MARK-MASQ
iptables -t nat -A TTCP-SEP-02 -p tcp -j DNAT --to-destination 10.1.20.204:5001
iptables -t nat -A TTCP-SVC-VS -j TTCP-SEP-01 -m statistic --mode random --probability 0.5
iptables -t nat -A TTCP-SVC-VS -j TTCP-SEP-02
iptables -t nat -A OUTPUT -j TTCP-SERVICES
iptables -t nat -N TTCP-POSTROUTING
iptables -t nat -A POSTROUTING -j TTCP-POSTROUTING
iptables -t nat -A TTCP-POSTROUTING -j RETURN
iptables -t nat -A TTCP-POSTROUTING -j MARK --xor-mark 0x4000
iptables -t nat -A TTCP-POSTROUTING -j MASQUERADE
iptables -t nat -D PREROUTING 1
iptables -t nat -D OUTPUT 1
iptables -t nat -D POSTROUTING 1
iptables -t nat -D TTCP-SERVICES 1
iptables -t nat -X TTCP-SERVICES
iptables -t nat -D TTCP-SVC-VS 3
iptables -t nat -D TTCP-SVC-VS 2
iptables -t nat -D TTCP-SVC-VS 1
iptables -t nat -X TTCP-SVC-VS
iptables -t nat -D TTCP-SEP-01 2
iptables -t nat -D TTCP-SEP-01 1
iptables -t nat -X TTCP-SEP-01
iptables -t nat -D TTCP-SEP-02 2
iptables -t nat -D TTCP-SEP-02 1
iptables -t nat -X TTCP-SEP-02
iptables -t nat -D TTCP-MARK-MASQ 1
iptables -t nat -X TTCP-MARK-MASQ
iptables -t nat -D TTCP-POSTROUTING 2
iptables -t nat -D TTCP-POSTROUTING 1
iptables -t nat -X TTCP-POSTROUTING
Three scenarios of NAT
-
Outbond to internet - you has single public IP address from your ISP vendor, but you have bunch of servers that need to connect to internet, only replies to packets with this IP address as source address will return to you.
-
Multiple Servers - you use one IP address to access multiple servers, Sometimes you want to change where packets heading into your network will go. Frequently this is because (as above), you have only one IP address, but you want people to be able to get into the boxes behind the one with the `real' IP address. If you rewrite the destination of incoming packets, you can manage this. This type of NAT was called port-forwarding under previous versions of Linux.
-
Transparent Proxying - Sometimes you want to pretend that each packet which passes through your Linux box is destined for a program on the Linux box itself. This is used to make transparent proxies: a proxy is a program which stands between your network and the outside world, shuffling communication between the two. The transparent part is because your network won’t even know it’s talking to a proxy, unless of course, the proxy doesn’t work.
Two types of NAT
-
Source NAT (SNAT) - alter the source address of the first packet.
-
Destination NAT (DNAT) - alter the destination address of the first packet
If the public IP address is dynamically allocated, then MASQUERADE can be used.
iptables -t nat -A POSTROUTING -s 10.1.20.0/24 -o ens33 -j MASQUERADE
10.1.10.202 as internet service, 10.1.10.201 as gateway, 10.1.20.203 as internel client.
Note
|
MASQUERADE is used while public IP address is dynamically allocated, in this scenario, 10.1.10.201 is dynamically allocated. |
If the public IP address is mannually assigned, then the SNAT could be use to supply same ability like MASQUERADE.
iptables -t nat -A POSTROUTING -o ens33 -s 10.1.20.0/24 -j SNAT --to 10.1.10.201
Gateway hidden the server, 10.1.10.202 as a client to access the hidden server via 10.1.10.201 exposed endpoint 10.1.10.201:50050.
iptables -t nat -A PREROUTING -p tcp -i ens33 -s 10.1.10.0/24 -d 10.1.10.201 --dport 50050 -j DNAT --to 10.1.20.203:5001
iptables -t nat -A POSTROUTING -s 10.1.10.0/24 -o ens34 -j MASQUERADE
Gateway hidden the server, the intranet gateway IP address is assigned manually, 10.1.10.202 as a client to access the hidden server via 10.1.10.201 exposed endpoint 10.1.10.201:50050.
iptables -t nat -A PREROUTING -p tcp -i ens33 -s 10.1.10.0/24 -d 10.1.10.201 --dport 50050 -j DNAT --to 10.1.20.203:5001
iptables -t nat -A POSTROUTING -o ens34 -s 10.1.10.0/24 -j SNAT --to 10.1.20.201
Still in hidden the server way, 10.1.20.201 as intranet SNAT address, but with port range start from 30000 to 50000.
iptables -t nat -A PREROUTING -p tcp -i ens33 -s 10.1.10.0/24 -d 10.1.10.201 --dport 50050 -j DNAT --to 10.1.20.203:5001
iptables -t nat -A POSTROUTING -p tcp -o ens34 -s 10.1.10.0/24 -j SNAT --to 10.1.20.201:30000-50000
Still in hidden the server way, this time add a SNAT Pool.
add SNAT pool member address before set SNAT rule.
ip addr add 10.1.20.101/24 dev ens34
ip addr add 10.1.20.102/24 dev ens34
ip addr add 10.1.20.103/24 dev ens34
iptables -t nat -A PREROUTING -p tcp -i ens33 -s 10.1.10.0/24 -d 10.1.10.201 --dport 50050 -j DNAT --to 10.1.20.203:5001
iptables -t nat -A POSTROUTING -o ens34 -s 10.1.10.0/24 -j SNAT --to 10.1.20.101-10.1.20.103
Random mode with probability is 0.5 will load balancing traffic to 2 hidden servers with Round Robin algorithm.
iptables -t nat -A PREROUTING -p tcp -i ens33 -s 10.1.10.0/24 -d 10.1.10.201 --dport 50050 -m statistic --mode random --probability 0.5 -j DNAT --to 10.1.20.203:5001
iptables -t nat -A PREROUTING -p tcp -i ens33 -s 10.1.10.0/24 -d 10.1.10.201 --dport 50050 -j DNAT --to 10.1.20.204:5001
iptables -t nat -A POSTROUTING -o ens34 -s 10.1.10.0/24 -j SNAT --to 10.1.20.101-10.1.20.103
After some testing, check the traffic distribution.
~]# iptables -t nat -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 49 packets, 10707 bytes)
pkts bytes target prot opt in out source destination
552 33120 DNAT tcp -- ens33 * 10.1.10.0/24 10.1.10.201 tcp dpt:50050 statistic mode random probability 0.50000000000 to:10.1.20.203:5001
550 33000 DNAT tcp -- ens33 * 10.1.10.0/24 10.1.10.201 tcp dpt:50050 to:10.1.20.204:5001