So now we know how to select the packets we want to mangle. To complete our rule, we need to tell the kernel exactly what we want it to do to the packets.
The first thing to decide is the `binding type': are we going to be changing the source or the destination of the packet? We can't do both at once (in fact, we can't do both at all at the moment).
You want to do normal NAT; change the source address of connections to something different. This is done with the `-b source' or `--binding source' options. The packet will be altered just before it is finally sent out; this is an important detail, since it means that anything else on the Linux box itself (routing, packet filtering) will see the packet unchanged.
You want to do Reverse NAT; change the destination address of connections to something different. This is done with the `-b destination' or `--binding destination' options. The packet will be altered as it comes in; this is an important detail, since it means that anything else on the Linux box itself (routing, packet filtering) will see the altered packet.
Once we've decided whether we're mangling the source or destination, we need to decide what to change it to. This is done with the `-t' or `--to' option. This can be followed by:
This specifies the range onto which the packet will be mapped. If you specified a specific protocol, and it was UDP or TCP, you have an additional option: you can specify `--to-port', to indicate that you want to alter the port as well. This can be followed by a single port, or two ports separated by a `-'. The ports can be numbers or names.
If a range of IP addresses are given, normally the IP address to use is chosen based on the least currently used IP for connections the machine knows about.
However, it is possible to override this using a specialized mapping module (`-m' or `--mapping-type'). Two of these are included with the default netfilter distribution:
This selects the IP address to use based on the interface the packet will be sent out from; this can only be used in a source binding rule (`-b source'). You should not use `-t' at all with this mapping. It also has the side effect that when the interface goes down, all current mappings are forgotten, so you should not use this for interfaces which do not have a dynamic IP address, otherwise it will lose connections unnecessarily.
This selects the IP address to use based on the interface the packet came in on; this can only be used in a destination binding rule (`-b source'). This has the effect of treating the packet as if it were destined for the machine itself in the first place, allowing transparent proxying. You should not use `-t' at all with this mapping.
If these modules are installed in the correct place, and dependencies made correctly using `depmod -a', they should be automatically loaded when you try to use them. If not, you can manual insmod them into the kernel before rules can use them.