Iptables – SNAT


Ini salah satu cara paling mudah dan cukup efisien jika kita ingin menggunakan SNAT dengan iptables. Dengan asumsi sebelumnya kita sudah tau dan mengerti apakah SNAT itu sendiri.
Lebih jelasnya kita bisa langsung mempraktekkannya. Syarat yang harus dipenuhi adalah kita harue membuat alamat IP alias terlebih dahulu. Sebagai contoh kita akan membuat SNAT pada mesin firewall dengan ketentuan sbb:

  • Menggunakan satu alamat IP lokal (192.168.1.100) agar dikenali di internet sebagai alamat IP 97.158.253.26
  • Menggunakan satu alamat network (192.168.1.0) agar dikenali di internet sebagai alamat IP 97.158.253.29. Hal berbeda dengan Masquerading.

 

contoh file snat.sh 

 
#---------------------------------------------------------------
# Load the NAT module

#

# Note: It is best to use the /etc/rc.local example in this

#       chapter. This value will not be retained in the

#       /etc/sysconfig/iptables file. Included only as a reminder.

#---------------------------------------------------------------

modprobe iptable_nat

#---------------------------------------------------------------

# Enable routing by modifying the ip_forward /proc filesystem file

#

# Note: It is best to use the /etc/sysctl.conf example in this

#       chapter. This value will not be retained in the

#       /etc/sysconfig/iptables file. Included only as a reminder.

#---------------------------------------------------------------

echo 1 > /proc/sys/net/ipv4/ip_forward

#---------------------------------------------------------------
# NAT ALL traffic:

###########

# REMEMBER to create aliases for all the internet IP addresses below

###########

#

# TO:             FROM:           MAP TO SERVER:

# 97.158.253.26    Anywhere        192.168.1.100 (1:1 NAT - Inbound)

# Anywhere        192.168.1.100   97.158.253.26 (1:1 NAT - Outbound)

# Anywhere        192.168.1.0/24  97.158.253.29 (FW IP)

#

# SNAT is used to NAT all other outbound connections initiated

# from the protected network to appear to come from

# IP address 97.158.253.29

#

# POSTROUTING:

#   NATs source IP addresses. Frequently used to NAT connections from

#   your home network to the Internet

#

# PREROUTING:

#   NATs destination IP addresses. Frequently used to NAT

#   connections from the Internet to your home network

#

# - Interface eth0 is the internet interface

# - Interface eth1 is the private network interface

#---------------------------------------------------------------

# PREROUTING statements for 1:1 NAT

# (Connections originating from the Internet)

iptables -t nat -A PREROUTING -d 97.158.253.26 -i eth0 
         -j DNAT --to-destination 192.168.1.100

# POSTROUTING statements for 1:1 NAT

# (Connections originating from the home network servers)

iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth0 

-j SNAT --to-source 97.158.253.26

# POSTROUTING statements for Many:1 NAT

# (Connections originating from the entire home network)

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 
         -j SNAT -o eth0 --to-source 97.158.253.29

# Allow forwarding to each of the servers configured for 1:1 NAT

# (For connections originating from the Internet. Notice how you

# use the real IP addresses here)

iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.1.100 

-m multiport --dport 80,443,22 

-m state --state NEW -j ACCEPT

# Allow forwarding for all New and Established SNAT connections

# originating on the home network AND already established

# DNAT connections

iptables -A FORWARD -t filter -o eth0 -m state 

--state NEW,ESTABLISHED,RELATED -j ACCEPT

# Allow forwarding for all 1:1 NAT connections originating on

# the Internet that have already passed through the NEW forwarding

# statements above

iptables -A FORWARD -t filter -i eth0 -m state 

--state ESTABLISHED,RELATED -j ACCEPT

6 comments

  1. saya tertarik dengan tulisan ini,karena saya ingin membangun firewall dengan iptables dilinux, tolong saya dibantu dari awal,
    saya masih awam tentang

  2. rhey_dhi · ·

    saya sangat suka menonton siaran berita liputan 6 ini. Karna selain pembawa beritanya yang jenius dan berita-beritanya juga bagus dan terkini.
    Hampir setiap hari saya menontonnya lho….
    Apalagi kalau pagi-pagi….(hehe tidak penting ya….)

    Saya sangat mengidolakan penyiar yang bernama ” Bayu Mandriva dan Rosiana S.” Menurut saya keren aja mereka…..

    Thanks b4

  3. eits…. emange penyiare liputan6 ada yg pake nama bayu mandriva ?
    bukane tu bayu sutiyono ??
    heheheheh….

  4. mas bedanya prerouting ama postrouting apa?
    mohon pencerahannya.

  5. PREROUTING = proses memasuki tahap routing. proses ini terjadi dari internet ke dalam intranet.
    POSTROUTING = proses yang terjadi setelah berada didalam routing (server).
    FORWARD = proses yang dikirimkan kepada komputer yang bersangkutan dari Internet kedalam intranet.

  6. makasih mas bejo.

    saya mau bikin router(NAT)
    jaringan yang di bawah router bisa diakses internet.
    caranya gimana mas?

    apa pake yang prerouting?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: