CSCF Infrastructure Technology Group

CSI  » Setup Recipes  » Services  » Networking  » NAT (Network Address Translation)

CSCF NAT (Stateless Network Address Translation) Service Setup

General Information

NAT systems have at least two network interfaces configured.

The first network interface will be setup as the Internet facing connection. For this document I'm going to just use interfaces " "eth0", "eth1", "eth2", "eth2.526" (IEEE 802.1Q tagged vlan, id="526" on eth2 Nic) , and an IPv4 Internet address 198.51.100.63 in "TEST-NET-2" vlan 198.51.100.0/24 (in accordance with RFC 5737.) You will need to modify the vlan information to the values of the Internet vlan that services your area!

We'll configure four other network interfaces, one for each Intranet (private vlan) that we want to provide NAT service for. For this documentation we'll use three 24bit vlans in the 172.16.0.0/12 block of private IPv4 address space assigning "172.X.Y.254" as the NAT route point 1 .

Server Setup Recipe

Ubuntu Server OS Setup

Arrange with the CSCF Technical Manager, Infrastructure for the resources to run the NAT service you want to setup, then follow one of the recipes at "https://cs.uwaterloo.ca/cscf/internal//infrastructure/setups/os/ubuntu/" to provision a minimal Ubuntu server host

Network Interface Configuration — /etc/network/interfaces

Next configure the servers network configuration so the appropriate network interfaces are created at startup, being sure to modify the IP values to be appropriate for your environment.

Edit "/etc/network/interfaces": 

auto  lo
iface lo        inet loopback

auto  eth0
iface eth0      inet static
      address   198.51.100.63
      netmask   255.255.255.0
      gateway   198.51.100.1
      network   198.51.100.0
      broadcast 198.51.100.255

auto  eth1
iface eth1      inet static
      address   172.19.152.254
      netmask   255.255.255.0

auto  eth2
iface eth2      inet static
      address   172.19.154.254
      netmask   255.255.255.0

auto  eth2.526
iface eth2.526  inet static
      address   172.19.155.254
      netmask   255.255.255.0

Enable IPv4 Forwarding — /etc/sysctl.d/98-ip_forward.conf

We enable IPv4 forwarding by creating "/etc/sysctl.d/98-ip_forward.conf" 

#
# Kernel sysctl configuration
#
net.ipv4.ip_forward = 1

You can run the following command to make this change effective without a reboot. 

sudo sysctl -w net.ipv4.ip_forward=1

Setup iptables Masquerading — /etc/rc.local

We use iptables to perform the masquerading of the non-eth0 traffic by modifying "/etc/rc.local" (Make sure the following two lines appear before the "exit 0" line.) 

/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE

You can run the following commands to make this change effective without a reboot. 

sudo iptables -P FORWARD ACCEPT
sudo iptables –-table nat -A POSTROUTING -o eth0 -j MASQUERADE

Choice of IP for NAT Route Point

I choose to use an IP address one less than the broadcast IP as the NAT route point to leave IP space near the first VLAN ip address for VRRP addresses. There is also a bit of nostalgia involved: "Who remembers when the CISCO standard was to use the IP before the broadcast IP as the default route point?"