Network Address Translation (NAT)¶
The nat section exposes the configuration of NAT.
Source NAT Configuration¶
To configure source NAT on the appliance, the following configuration options are available:
nat.snat.address_poolA list of IPv4 prefixes to specify which addresses can be used for the source NAT. A packet’s source address will be replaced by one of these addresses. A response packet will have its destination address replaced by the original source address.
nat.snat.excludeA list of IPv4 prefixes to exclude from the source NAT. A packet with source IP address covered by one of these prefixes will be passed as is without rewriting its source address. The number of addresses to exclude is limited to 1000000.
nat.snat.interfacesA list of network interfaces on which source NATing should be applied. Outgoing (transmitted) packets on these interfaces will have their source IP address rewritten to one of the addresses in the address pool. Incoming (received) packets will have their destination address rewritten to the original source address. The list of network interfaces can contain any interface on the host that is not using the LINUX driver. Furthermore, there is a special interface, the scion-gateway interface. It can be used to configure source NATing for outgoing IP-in-SCION tunneling traffic.
In case SNAT is configured in combination with DNAT (see Use Case: Ingress SNAT and DNAT), the list of network interfaces must be empty, as DNATs and SNAT combination only works with the scion-gateway interface, it is automatically set.
Destination NAT Configuration¶
The appliance supports the configuration of destination NAT (DNAT) for traffic reaching the appliance via IP-in-SCION tunneling. To configure destination NAT on the appliance, the following configuration options are available:
nat.dnatsThe list of destination NAT configurations.
nat.dnats.dnat.addressThe IPv4 address to match for destination NAT. Incoming packets with this address as the destination will have it translated to
nat.dnats.dnat.destination_address. The translation can be restricted to specific ports usingnat.dnats.dnat.port_mappings.nat.dnats.dnat.destination_addressThe IPv4 address to which
nat.dnats.dnat.addressis translated. If outgoing packets have this source address, it will be replaced bynat.dnats.dnat.address.nat.dnats.dnat.port_mappingsA list of port mappings for this destination NAT. If empty, all matching traffic will have their addresses translated. Must be set when combining DNAT and SNAT.
nat.dnats.dnat.port_mappings.protocolSpecifies the protocols (“tcp”, “udp”, or “icmp”) for which address translation applies.
nat.dnats.dnat.port_mappings.portThe destination port to match for the port mapping. Must be an integer between 0 and 65535. If the destination port matches and the destination address matches the
nat.dnats.dnat.address, the destination port will be replaced bynat.dnats.dnat.port_mappings.destination_port.nat.dnats.dnat.port_mappings.destination_portThe port to which the destination port is translated. Must be an integer between 0 and 65535.
Use Case: Egress Source NAT¶
Egress source NAT is useful for deployments that only have a single public IP address that can be tunneled through an IP-in-SCION tunnel. The egress source NAT setup works the same way as a regular source NAT setup, e.g., for a home network. The appliance will rewrite the source IP address of packets leaving the local network to the public IP address.
nat.snat.address_poolA list of IPv4 prefixes that can be used as public IP addresses for the NAT. These addresses should also be announced to remote IP-in-SCION tunneling endpoints.
nat.snat.excludeA list of IPv4 prefixes to exclude from the NAT. Useful for excluding addresses of services that use their own public IP address.
nat.snat.interfacesFor egress NAT, this must include the scion-gateway interface, and optionally any interface connected to the external network (e.g., public Internet). Specifying interfaces connected to the local network (i.e, LAN) together with the scion-gateway is a misconfiguration and leads to undefined behavior.
Refer to Configuring Egress Source NAT if only few public IP addresses are available for more information.
Use Case: Ingress Source NAT¶
Ingress source NAT is useful when replies to the packets coming out from a SCION tunnel are supposed to be routed back to the tunnel while other packets can still be routed in an arbitrary user-defined way. The motivation for this is so that return traffic can be sent via the EDGE if there is also an Internet router available for it.
Using ingress NAT assumes that the routing of packets to the appliance is done using static routes. Combining ingress NAT with BGP is not supported.
nat.snat.address_poolA list of IPv4 prefixes that are used to route the reply packets back to the appliance. The appliance will rewrite the source IP address of packets entering the local network to one of these addresses. It is up to the user to configure the routing of these addresses in the local network accordingly.
nat.snat.excludeA list of IPv4 prefixes to exclude from the NAT.
nat.snat.interfacesThe list of the interfaces connected to the local network.
Refer to Configuring Ingress NAT to collect Users from the Anapaya GATE for more information.
Use Case: Destination NAT¶
Destination NAT is useful to allow external clients to access services running on private IPs. For example in a Cloud deployment of a service, the services uses a private IP address and the appliance exposes the public IP to make the service available.
Use Case: Ingress SNAT and DNAT¶
Ingress SNAT and DNAT is useful when the appliance is used as a gateway to provide access to services running on private IPs and at the same time those services are also reachable from other networks. The DNAT guarantees that the private IP can be reached and the SNAT asserts that the traffic can easily be routed back to the appliance.