Implementing Symmetric NAT on Linux (Fedora 2.6.x Kernel) for Network Traffic Analysis


2 views

When debugging complex network issues involving symmetric NAT (Network Address Translation), commercial routers often lack the necessary visibility. By configuring a Linux server as a router with symmetric NAT, we gain full packet-level control and debugging capabilities.

  • Fedora system with kernel 2.6.xx
  • Two network interfaces (eth0 for WAN, eth1 for LAN)
  • Root privileges
  • iptables package installed

First, configure the network interfaces in /etc/sysconfig/network-scripts/:

# ifcfg-eth0 (WAN interface)
DEVICE=eth0
BOOTPROTO=static
IPADDR=203.0.113.2
NETMASK=255.255.255.0
GATEWAY=203.0.113.1
ONBOOT=yes

# ifcfg-eth1 (LAN interface)
DEVICE=eth1
BOOTPROTO=static
IPADDR=192.168.1.1
NETMASK=255.255.255.0
ONBOOT=yes

Permanent setting in /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Apply immediately:

sysctl -p

The key configuration for symmetric NAT:

# Masquerade outgoing traffic with random port selection
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE --random

# Accept established connections
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Forward new connections from LAN to WAN
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Drop invalid packets
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP

To monitor traffic through the NAT:

tcpdump -i eth0 -nn -s0 -w nat_capture.pcap

For specific connection tracking:

conntrack -L

Test with multiple connections from a client:

# On client machine
for i in {1..5}; do
  curl --local-port $((20000+i)) ifconfig.me
done

Check the NAT translations:

iptables -t nat -L -n -v

Save iptables rules:

service iptables save
chkconfig iptables on
  • Check kernel NAT modules: lsmod | grep nf_nat
  • Verify conntrack table: cat /proc/net/nf_conntrack
  • Test connectivity: traceroute -n 8.8.8.8

When dealing with network debugging, especially in scenarios involving NAT (Network Address Translation), having visibility into packet flows is crucial. Many commercial routers lack proper debugging interfaces, making it difficult to verify if packets are reaching the NAT or being processed correctly. This is particularly problematic with symmetric NAT, which dynamically maps internal IP:port pairs to external ones.

Linux provides excellent networking capabilities through its kernel modules and iptables/netfilter framework. By configuring a Linux machine as a router with symmetric NAT, we gain:

  • Full packet capture capabilities (tcpdump, Wireshark)
  • Detailed logging of NAT operations
  • Flexible configuration options
  • Real-time monitoring capabilities

Before proceeding, ensure your Fedora system has:

# Check kernel version (should be 2.6.x or higher)
uname -r

# Verify iptables is installed
rpm -q iptables

# Check for required kernel modules
lsmod | grep nf_nat
lsmod | grep nf_conntrack

First, set up your network interfaces. Typically, you'll need:

  • One interface connected to the internal network (eth0)
  • One interface connected to the external network (eth1)
# Configure internal interface
ifconfig eth0 192.168.1.1 netmask 255.255.255.0 up

# Configure external interface (use your actual external IP)
ifconfig eth1 203.0.113.45 netmask 255.255.255.0 up

Enable packet forwarding between interfaces:

echo 1 > /proc/sys/net/ipv4/ip_forward

To make this persistent across reboots, add to /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Configure iptables for symmetric NAT:

# Flush existing rules
iptables -F
iptables -t nat -F

# Set default policies
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Allow established connections
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable masquerading (NAT) on the external interface
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Enable symmetric NAT by not using persistent mappings
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE --random

To monitor packets going through NAT:

# Capture all NAT-related traffic
tcpdump -i eth1 -n "port not 22" -w nat_capture.pcap

# Alternatively, log specific NAT operations
iptables -t nat -A POSTROUTING -j LOG --log-prefix "NAT-OUTPUT: "
iptables -t nat -A PREROUTING -j LOG --log-prefix "NAT-INPUT: "

Test your symmetric NAT setup:

# Check NAT table
iptables -t nat -L -n -v

# View connection tracking
conntrack -L

# Test external connectivity from an internal host
ping 8.8.8.8
  • If packets aren't flowing, check your FORWARD chain rules
  • Verify that conntrack modules are loaded (lsmod | grep nf_conntrack)
  • Check system logs (/var/log/messages) for NAT-related errors
  • Ensure your external interface has the correct default gateway

For more detailed control over NAT behavior:

# Limit NAT port range
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE --to-ports 40000-50000

# Set specific NAT timeouts
echo 300 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout
echo 600 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established