You need to create NAT rules which tell the kernel what connections to change, and how to change them. To do this, we use the `ipnatctl' tool, found in the netfilter distribution. It takes a number of standard options as listed below.
You can specify the source (`-s' or `--source') and destination (`-d' or `--destination') of the packets you want to NAT. These options can be followed by a single IP address (eg. 192.168.1.1), a name (eg. www.kernelnotes.org), or a network address (eg. 192.168.1.0/24 or 192.168.1.0/255.255.255.0).
If you're not familiar with the /-notation used for network addresses, it works like this.
Every machine needs an individual address. To keep things simple, we assign them in clumps; each network of machines generally gets a range of addresses.
A single IP address is 32 bits long: printed in binary has 32 binary digits, each 1 or 0. It's standard to print them as 4 decimal numbers, each representing 8 bits, such as `192.168.1.1'. In binary, this would be `11000000101010000000000100000001'.
To talk about a network of machines, we simply decide which bits of the address indicate the network: if two IP addresses have these bits the same, then they are on the same network.
The simplest way of representing this is the `/n' notation, such as `192.168.1.0/24'. The `/24' means that the first 24 bits of this address are important: remembering that each number represents 8 bits, this means that any IP address starting with `192.168.1.' is on this network. As another example, `10.0.0.0/8' means that any IP address starting with `10.' is on the network.
The second part (usually called the netmask) doesn't have to be a multiple of eight, but it often is, to make it easier to instantly recognise related IP addresses.
There is another way to write the netmask, and that is to spell it out in IP-address form, such as `192.168.1.0/255.255.255.0'. In binary, 255 is `11111111', so 255.255.255.0 is `11111111111111111111111100000000'. Each 1 in this netmask indicates that the corresponding part in the IP address is important: this means that the first 24 bits are important, so `192.168.1.0/255.255.255.0' is equivalent to ``192.168.1.0/24'.
Here is a table of common addresses you will see:
This can be quite confusing, but you'll see the same notation and the same numbers popping up over and over again, so I recommend you read the above paragraphs a couple of times.
I said above that you can specify a source and destination address. If you omit the source address option, then any source address will do. If you omit the destination address option, then any destination address will do.
You can also indicate a specific protocol (`-p' or `--protocol'), such as TCP or UDP; only packets of this protocol will match the rule. The main reason for doing this is that specifying a protocol of tcp or udp then allows extra options: specifically the `--source-port' and `--destination-port' options (abbreviated as `--sport' and `--dport').
These options allow you to specify that only packets with a certain source and destination port will match the rule. This is useful for redirecting web requests (TCP port 80 or 8080) and leaving other packets alone.
These options must follow the `-p' option (which has a side-effect of loading the shared library extension for that protocol). You can use port numbers, or a name from the /etc/services file.