Setup guide

ManualsBrandsD-Link ManualsComputer equipmentDWL-500 - 11Mb Wireless LAN PCI Network Card

231

232

233

234

235

236

237

238

239

240

Source NAT

Description

Source NAT is a firewall function that can be used to 'hide' private networks behind one external IP

address of the router. For example, it is useful, if you want to access the ISP's network and the

Internet appearing as all requests coming from one single IP address given to you by the ISP. The

Source NAT will change the source IP address and port of the packets originated from the private

network to the external address of the router, when the packet is routed through it.

Source NAT helps to ensure security since each outgoing or incoming request must go through a

translation process that also offers the opportunity to qualify or authenticate the request or match it

to a previous request. It also conserves the number of global IP addresses required and it lets the

whole network use a single IP address in its communication with the world.

Property Description

action (accept | masquerade | nat; default: accept) - action to undertake if a packed matched a

particular src-nat rule, one of the:

• accept - accept the packet without undertaking any action, except for mangle. No more rules

are processed in the relevant list/chain

• masquerade - use masquerading for the packet and substitute the source address:port of the

packet with the ones of the router. In this case, the to-src-address argument value is not taken

into account and it does not need to be specified, since the router's local address is used

• nat - perform Network Address Translation. The to-src-address should be specified (not

required with action=masquerade)

out-interface (name; default: all) - interface the packet is leaving the router from.

• all - may include the local loopback interface for packets with destination to the router

to-src-address (IP address; default: 0.0.0.0) - source address to replace original source address

with

to-src-port (integer: 0..65535) - source port to replace original source port with

Notes

The source nat can masquerade several private networks, and use individual to-src-address for

each of them.

Masquerading chooses outgoing packets' source addresses according to the preferred-address

property of the relevant route.

Example

To use masquerading, a source NAT rule with action=masquerade should be added to the src-nat

rule set:

[admin@test_1] ip firewall src-nat> add src-address=192.168.0.0/24 \

\... out-interface=wlan1 action=masquerade

[admin@test_1] ip firewall src-nat> print

Flags: X - disabled, I - invalid, D - dynamic

0 src-address=192.168.0.0/24:0-65535 dst-address=0.0.0.0/0:0-65535

out-interface=wlan1 protocol=all icmp-options=any:any flow=""

connection="" content="" limit-count=0 limit-burst=0 limit-time=0s

action=masquerade to-src-address=0.0.0.0 to-src-port=0-65535

[admin@test_1] ip firewall src-nat>