Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 51: Configuring and Testing NAT (Network Address Translation)

by | Jun 5, 2025 | 0 comments

Objective

Set up and test Network Address Translation (NAT) to allow multiple devices on a local network to share a single public IP address for internet access. Understand how NAT improves network security by hiding internal network details.

Scenario

In a typical network setup, NAT allows internal devices to communicate with external networks (such as the internet) using a single public IP address. This setup conserves IP addresses and adds a layer of security by hiding internal IP addresses from external networks. In this exercise, you will configure a Linux machine as a NAT router using iptables, connect devices to the internal network, and verify internet access.

⚠️ Important: This exercise must be conducted in a legal and controlled environment. Unauthorized manipulation of network settings may disrupt services.

Lab Instructions

Step 1: Configure the Linux Machine as a NAT Router

a. Enable IP Forwarding

sudo sysctl -w net.ipv4.ip_forward=1
  • Make this change persistent:
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

b. Configure NAT Using iptables

  • Assuming:
    • eth0 is connected to the internet.
    • eth1 is connected to the local network.
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

c. Save iptables Rules

sudo iptables-save | sudo tee /etc/iptables/rules.v4

Step 2: Configure Local Network Devices

a. Assign Private IPs to Connected Devices

  • Assign private IPs manually or via DHCP:
    • Device 1: 192.168.1.2
    • Device 2: 192.168.1.3
    • Gateway: Set to the Linux NAT router’s internal IP (e.g., 192.168.1.1)

b. Configure DNS (Optional)

echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf

Step 3: Test Internet Access

a. Ping External Sites from Internal Devices

ping google.com
  • Expected Result: Successful replies indicate internet connectivity.

b. Verify Shared Public IP

  • From internal devices:
curl ifconfig.me
  • Expected Result: All devices should show the same public IP address.

Step 4: Discuss the Benefits of NAT

  1. IP Address Conservation: Multiple devices share a single public IP.
  2. Internal Network Security: Hides internal IPs, making internal devices less accessible to external threats.
  3. Basic Firewall Functionality: Unsolicited incoming connections are blocked by default.
  4. Network Simplification: Simplifies network design by isolating internal networks.

Solution & Explanation

How NAT Works

  • Source NAT (SNAT): Translates internal private IP addresses to the public IP for outgoing traffic.
  • Destination NAT (DNAT): Forwards external traffic to specific internal devices if configured.
  • Masquerading: A dynamic form of SNAT used when the public IP may change (common in home networks).

Security Advantages of NAT

  • Anonymity: Hides internal network structure.
  • Attack Surface Reduction: Blocks unsolicited inbound traffic by default.
  • Controlled Access: Allows configuration of port forwarding for specific services.

Testing & Verification

  • Before NAT: Internal devices cannot access the internet.
  • After NAT: Internal devices can browse the internet using the shared public IP.

Verify iptables NAT Rules

sudo iptables -t nat -L -n -v

Check Routing Table

ip route

Security Best Practices

  1. Limit Port Forwarding: Only forward necessary ports to internal devices.
  2. Apply Firewall Rules: Combine NAT with firewall policies to restrict traffic.
  3. Regular Rule Audits: Review and update NAT and firewall configurations.
  4. Network Segmentation: Use VLANs or subnets for better traffic management.

Additional Script (Optional)

Automate NAT Configuration:

#!/bin/bash
# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1

# Configure NAT rules
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Save the iptables rules
sudo iptables-save | sudo tee /etc/iptables/rules.v4

echo "NAT configuration complete."

Run the script:

chmod +x setup_nat.sh
sudo ./setup_nat.sh

Conclusion

In this exercise, you configured a Linux machine to act as a NAT router using iptables, enabling multiple devices to share a single public IP for internet access. You verified the configuration, explored the security benefits of NAT, and learned how it protects internal networks from direct external attacks.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *