nat44 is a simple way to configure an hig-end NAT-router with netflow
install from repo
add uninett apt key
- wget http://apt.uninett.no/uninett_apt.key; apt-key add uninett_apt.key; rm uninett_apt.key
add repo to sources.list
- echo "deb http://apt.uninett.no/debian/ wheezy nat" >> /etc/apt/sources.list
update and install
- apt-get update && apt-get install nat44
install from source
Install git, conntrack and python-ipaddr
- apt-get install conntrack python-ipaddr git debhelper python-support dialog python-docopt
Note: from debian wheezy you need to install python-docopt via pip install
- apt-get install python-pip
- pip install docopt
Clone the git repo
- git clone https://scm.uninett.no/sveinov/nat44.git
cd to new dir, and edit the nat44.conf (configure your system)
- cd nat44; nano nat44.conf
install nat44 via make
- make install
Or install nat44 python library
- python setup.py install
- vim /etc/nat44/nat44.conf
First you have to make sure you have the correct settings for nat44.conf (/etc/nat44/nat44.conf), the default config is in /etc/default/nat44.conf
Then you make nat44 configure your linux box to become an nat44 router bassed on your nat44.conf
- nat44 configure
Everytime you change nat44.conf you have to run nat44 configure, the first time you run nat44 configure it will take some time (compiling modules and snmp).
intern-if = eth1
- Internal interface, where you have your rfc1918-network. Those that needs the NATing
- You can define several interfaces, eth1 eth2 eth3
- it also supports vlan-tag (8011q) eth1.100 eth1.200 eth1.300
ekstern-if = eth0
- External interface, connected to that internett.
admin-adresse = 203.0.113.120
- This is the main public ipaddress of your server
intern-nett = 10.0.0.0/22
- The internal nettwork, not recomended bigger than /20 (~4000 clients)
- when using several interfaces, you need 1 network per interface.
intern-gw = 10.0.0.1
- This is the ipaddress of your internal-interface, the gateway of your NAT clients.
- when using several interfaces, you ned 1 gateway per interface.
extern-nett = 126.96.36.199/24
- The external nettwork
eksterne-adresser = 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168
- These are the addresses that we translate the internal-network to.
- By default you need 1 ipaddress per /24 (~254) clients, this also applies to every subnet.
- meaning you need 4 external addresses if you have a /22 internal nettwork.
- notice we use the admin-adresse here aswell. This is optional, but no apparent reason not to use it.
- pools also acceptable, 22.214.171.124-127 or 126.96.36.199/29. it will allow to many addresses, but not to few.
gateway = 188.8.131.52
- the gateway towards the rest of that internett
dns = 184.108.40.206 220.127.116.11
- DNS settings, change em to your dns address(es)
log = netflow
- ipt-netflow module for loging. set to None for no logging
log_ip = 127.0.0.1
- what address the netflow-data is sendt to
log_port = 2055
- sending port for netflow
snmp_key = public
- default public, this sets snmpd to use the selected comunity_key
NAT-mask = 24
- default 24, this allows you to increase or decrease the amount of clients per public ipaddress.
rsyslog = None
- default disabled, you can choose to redirect rsyslog to remote server. specify host:port (rsyslog = 18.104.22.168:513)
dhcp-server = None
- default disabled, nat44 can configure dhcp for each internal interface. Merly set this to True (dhcp-server = True)
dns-server = None
- default disabled, nat44 can configure bind9 to serve as dns. Merly set this to True(dns-server = True)
Example config, 3 vlans, 6 public ipaddresses
internal-if = eth1.100 eth1.200 eth1.300
external-if = eth0
admin-address = 203.0.113.120
internal-network = 10.1.0.0/24 10.2.0.0/24 10.3.0.0/22
internal-gateway = 10.1.0.1 10.2.0.1 10.3.0.1
external-network = 203.0.113.0/24
external-addresses = 203.0.113.120-125
default-gateway = 203.0.113.1
domain = somedomain.com
dns = 22.214.171.124 126.96.36.199
log = netflow
log_ip = 203.0.113.10
log_port = 2059
flow_version = 9
rsyslog = 203.0.113.11:153
dhcp-server = True
dns-server = True
NAT-mask = 24
files that may be used by nat44