netfilter Operation: Part Six

netfilter operationIn the previous article, we began the process of simulating a home router with netfilter. We will continue that process in this article.

We began with the these iptables commands:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p tcp -s -i eth0 –dport 80 -j ACCEPT
iptables -A FORWARD -s -i eth0 -o eth1 -j ACCEPT
¬†iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

The INPUT chain allows port 80 to go to the firewall itself from the internal network. Many of the home routers have a Web interface for configuring them, and while your configuration may not need this port open to the firewall, it is included here to help emphasize how the different chains are used. It is important to specify the input interface (using -i) so that the source IP cannot be spoofed by an external attacker. In this way, you ensure that even if a packet was generated with the proper source IP, if it came in on the outside interface (eth1) it would not match the rule and would thus not be permitted. The FORWARD rule allows any outbound traffic from the internal network to the external network. This configuration is simple to implement; however, the IP range is a private IP range and is not routable on the Internet. Thus, this range would not allow traffic from the internal network to the Internet quite yet. To make this Linux firewall a useful replacement for a home network router, you need to enable NAT, which allows all of the systems on your internal network to appear as a single IP address when communicating on the Internet.

Enabling NAT

In principle NAT is simple, but in a complex environment it can get confusing. Basically, NAT means that the NAT device (in this case the Linux netfilter firewall) will change the IP address in apacket and retransmit that packet. Depending on your needs, you can alter the source IP address (source NAT, or SNAT), the destination IP address (destination NAT, DNAT), or both (double NAT). With a home router, the objective behind the NAT capability is to allow all of the internal hosts to communicate on the Internet using the single public IP provided by your Internet Service Provider (ISP). (In this case, SNAT is being used). As each of the hosts on your private network make a connection to an Internet server, the firewall is altering the source address to look like the public IP from your ISP. By doing this, the return traffic can find its way back to the firewall and be retranslated and sent to the originating host.

In this example, assume that the internal host has a private IP address of The public address of the firewall is, which is provided by the ISP. If a host on the private network wants to make a connection to The firewall alters the source address to its own public IP address of and sends the packet on its way. When the server replies to destination, the firewall again edits the packet, this time inserting a new destination of All of this takes place and is transparent to the host and the server. When multiple hosts are using SNAT, the firewall tracks which connections belong to which private hosts using the port numbers. While the destination port of the Web server remains static (typically port 80 for the Web), the source port is usually a random port above 1024. By tracking the source port, the firewall knows which address belongs to which session. In the event that two hosts attempt to use the same source port, the NAT device edits the source port of one of the connections and replaces it with another random source port. When the return traffic is received, it translates the source port back, just like it did for the IP address. because this method of NAT relies heavily on using the source port number, it is sometimes referred to as port NAT (PNAT).

To add the SNAT functionality to the example firewall, use the following command:

iptables -t nat -A POSTROUTING -o eth1 -j SNAT –to-source

The -r option is used to specify the table we want to modify, and -A option specifies that we are going to append this rule to the POSTROUTING chain. By specifying the outbound interface, we are ensuring that the SNAT only occurs as traffic leaves the private network, meaning only in the proper direction.

The jump target SNAT is self explanatory. The –to-source option specifies what IP address we want to use as the new source address. SNAT assumes we have a static IP address to SNAT the outgoing packets to. While this is likely the case in a corporate environment, a more appropriate solution to more closely mimic the configuration of a home router would be to use the MASQUERADE command:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

The masquerade command does not require an IP specification, and will use the IP address of the firewall interface. You might be wondering why you would not use the masquerade target all of the time instead of the SNAT target. Because the source IP is static, the SNAT target will cause the NAT calculations to be performed once for a given session. Subsequent packets belonging to that session are handled the same way as the first. With the masquerade target, each packet is checked for the source IP to use, which requires more overhead than with SNAT. This is why SNAT is preferable if you have a static source IP address, and masquerade is your only option if you do not have a static source IP address to use.

External Links:

Linux 2.4 NAT HOWTO at

NAT and Firewall Advanced Options in pfSense

In this article, I will cover some additional advanced settings available for firewall and NAT, which you can find by navigating to System -> Advanced and clicking on the “Firewall/NAT” tab.

Firewall Advanced Options


Advanced firewall and NAT options in pfSense.

Under “Firewall Advanced”, you will find the “Bypass firewall rules for traffic on the same interface” check box. This option applies only if you have defined one or more static routes (and presumably, at least one gateway; I covered configuring static routes in a previous article). If multiple subnets are connected to the same interface (e.g., if you divide the LAN into two or more separate subnets), using this option may be advantageous.

Next is the “Disable all auto-added VPN rules” check box. Checking this will disable any rules automatically added when a VPN was created. Next is the “Disable reply-to on WAN rules” check box. With Multi-WAN, you generally want to ensure traffic leaves the same interface it arrives on. Hence, reply-to is added automatically by default. When using bridging (or 1:1 NAT port forwarding with multiple interfaces), you must disable this behavior (by checking this box) if the WAN gateway IP is different from the gateway IP of the hosts behind the bridged interface. Finally, there is the “Disable Negate rule on policy routing rules” check box. With Multi-WAN, you generally want to ensure traffic reaches directly connected networks and VPN networks when using policy routing. You can disable this for special purposes (by checking this box), but it requires manually creating rules for this network.

NAT Advanced Options

The next section is “Network Address Translation”. The first option is the “Disable NAT Reflection for port forwards” check box. With NAT reflection, packets from internal networks that are addressed to the network’s public IP address will be treated as if they are coming from from the WAN interface. The router’s port forwarding rules will then determine where the packets go. Checking this box disables the automatic creation of additional NAT redirect rules for access to port forwards on your external IP addresses from within your internal networks.

Next is “Reflection Timeout“. This edit box allows you to set a NAT reflection timeout in seconds. The next option is the “NAT Reflection for 1:1 check box“. Checking this disables the automatic creation of additional NAT 1:1 mappings for access to 1:1 mappings of your external IP addresses from within your internal networks. The next check box is “Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from.” This only applies to 1:1 NAT rules, and is helpful when NAT reflection is enabled.

The last option is “TFTP Proxy“. You can click on an interface listed (hold down SHIFT to select multiple interfaces) to enable TFTP proxy on the interface. Since TFTP is considered to be a security risk (no security or authentication is provided by the protocol specification), this option should only be enabled if absolutely necessary. Finally, click on “Save” to save the changes.

Other articles in this series:

webConfigurator options in pfSense

Admin Access Options in pfSense

Firewall Advanced Options in pfSense

External Links:

Network Address Translation at Wikipedia

© 2013 David Zientara. All rights reserved. Privacy Policy