As with other firewall section, this section will not delve into NAT background and theory. Some useful links for this are:
OpenWrt supports DNAT, SNAT, MASQUERADING.
See Netfilter Management for analyzing the netfilter rules and investigating conntrack sessions.
This section contains typical uses of the fw3 NAT features
The goal of this rule is to redirect all WAN-side SSH access on port 2222 to a the SSH (22) port of a single LAN-side station.
config redirect option target DNAT option src wan option dest lan option proto tcp option src_dport 2222 option dest_ip 192.168.10.20 option dest_port 22 option enabled 1
To test from a WAN-side station (STA1), SSH on port 2222 to a non-existent IPv4 address on the LAN-side network:
ssh -p 2222 192.168.10.13 hostname; cat /proc/version
When the rule is enabled STA2 will reply with its hostname and kernel version. When the rule is disabled, the connection is refused.
The passionate reader will ask “So what netfilter rules does this create?”
iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 2222 -m comment --comment "!fw3: @redirect" -j DNAT --to-destination 192.168.10.20:22 ... iptables -t nat -A zone_lan_prerouting -p tcp -s 192.168.10.0/255.255.255.0 -d 192.168.3.185/255.255.255.255 -m tcp --dport 2222 -m comment --comment "!fw3: @redirect (reflection)" -j DNAT --to-destination 192.168.10.20:22
The first rule matches packets coming in the WAN-side if on TCP port 2222 and
jumps to the
DNAT filter to translate the destination to
The second rule matches packets coming in from the LAN-side to the WAN-side if
on TCP port 2222. The DNAT target uses the same
parameters as the first rule to find the “reflection” in the conntrack table.
The next thought of the passionate reader is “So what is IN the conntrack table?”
ipv4 2 tcp 6 117 TIME_WAIT src=192.168.3.171 dst=192.168.10.13 sport=51390 dport=2222 packets=21 bytes=4837 src=192.168.10.20 dst=192.168.3.171 sport=22 dport=51390 packets=23 bytes=4063 [ASSURED] mark=0 use=2
This record shows the WAN-side src=STA1 and dst=192.168.10.13:2222 and the reverse direction LAN-side src=STA2:22 src=STA1.
This redirect rule will cause the router to translate the WAN-side source of 22.214.171.124 to the LAN-side STA2 and route the ICMP echo to it. The rule is reflexive in that STA2 will be translated by to 126.96.36.199 on the WAN-side.
config redirect option src wan option src_dip 188.8.131.52 option proto icmp option dest lan option dest_ip 192.168.10.20 option target DNAT option name DNAT-ICMP-WAN-LAN option enabled 1
All redirection requires some form of NAT and connection tracking. For public servers behind the firewall the DNAT target is used to translate the public IP address on the WAN-side to the private address of the server in the LAN-side.
Due to the high visibility of a public server, it may warrant putting it/them in a fw3 DMZ.
config redirect option target DNAT option src wan option src_dport 25 option proto tcp option family ipv4 option dest lan option dest_ip 192.168.10.20 option dest_port 2525 option name DNAT-MAIL-SERVER option enabled 1
In this example, STA2 is running an email server (e.g. postfix) listening on port 2525 for incoming email.
This redirect rule states: any incoming traffic from the wan on port 25, redirect to STA1 port 2525.
To verify what is going on dump
/proc/net/nf_conntrack to observe the
dynamic connnection for incoming traffic. There can be quite a few conntrack
records in it so we will search on just the ones using port 2525:
... ipv4 2 tcp 6 7436 ESTABLISHED src=192.168.3.171 dst=192.168.3.11 sport=41370 dport=25 packets=4 bytes=229 src=192.168.10.20 dst=192.168.3.171 sport=2525 dport=41370 packets=3 bytes=164 [ASSURED] mark=0 use=2 ...
The connection is coming from STA1 port 25 to the DUT and is translated to STA2 on port 2525 with a response destination to STA1.
In the reference topology, the above rule alone will not allow SMTP traffic to the server. Why? The netfilter rules are more restrictive than typical, blocking all traffic that is not explicitly accepted. There is no rule for accepting email traffic to the LAN-side so it is being dropped. For this topology, an additional rule must be added to the firewall to forward SMTP traffic.
config rule option src wan option dest lan option proto tcp option dest_port 2525 option target ACCEPT option name 'ACCEPT-SMTP-WAN-LAN' option enabled 1
Since DNAT translation occurs early in the ip stack (the PREROUTING chain), the 'dest_port' is already translated to 2525 when this rule is tested in the FORWARD chain - notice the port match is for 2525.
This is illustrated because some (most!) netfilter configurations accept too much WAN-side traffic.
The goal of this rule is to translate the source IP address from a real station to a fictitious one on port 8080.
config redirect option target SNAT option src lan option dest wan option proto tcp option src_ip 192.168.10.20 option src_dip 192.168.10.13 option dest_port 8080 option enabled 1
nc -l 8080
nc -v 192.168.3.171 8080
Type something on the LAN-side station and see it echoed on the WAN-side
station. Check the connection on the WAN-side station using
and see the line:
tcp 0 0 192.168.3.171:8080 192.168.10.13:47970 ESTABLISHED 16746/nc
The WAN-side station shows the SNAT address connecting to it on port 8080!
When used alone, Source NAT is used to restrict a computer's access to the internet while allowing it to access a few services by forwarding what appears to be a few local services, e.g. NTP, to the internet. While DNAT hides the local network from the internet, SNAT hides the internet from the local network.
This is the most used and useful NAT function. It translates a local private network on the LAN-side to a single public address/port num on the WAN-side and then the reverse. It is the default firewall configuration for every IPv4 router. As a result it is a very simple fw3 configuration
The LAN-side uses a private network. The router translates the private addresses to the router address:port and the netfilter conntrack module manages the connection.
The masquerade is set on the WAN-side
config zone option name 'wan' list network 'wan' .... option masq '1'
The router will generally get its WAN ip address from the upstream DHCP server
and be the DHCP server (and usually DNS server) for LAN stations. The
configuration file defines the private network and the
file defines how the OpenWrt router assigns LAN-side IPv4 addresses.
When MASQUERADE is enabled, all forwarded traffic between WAN and LAN is translated. Essentially, there is very little that can go wrong with the MASQUERADE firewall rules.
/proc/net/nf_conntrack to inspect the current MASQUERADE connections.
The following connection tracks SSH (22) access from STA1 to STA2.
ipv4 2 tcp 6 4615 ESTABLISHED src=192.168.3.171 dst=192.168.10.20 sport=60446 dport=22 packets=27 bytes=1812 src=192.168.10.20 dst=192.168.3.171 sport=22 dport=60446 packets=21 bytes=2544 [ASSURED] mark=0 use=2
MASQUERADE supports two or more private LAN zones
The following rule redirects all LAN-side HTTP traffic through an external proxy at 192.168.1.100 listening on port 3128. It assumes the lan address to be 192.168.1.1 - this is needed to masquerade redirected traffic towards the proxy.
config redirect option src lan option proto tcp option src_ip !192.168.1.100 option src_dport 80 option dest_ip 192.168.1.100 option dest_port 3128 option target DNAT config redirect option dest lan option proto tcp option src_dip 192.168.1.1 option dest_ip 192.168.1.100 option dest_port 3128 option target SNAT