NAT rules are used to configure destination network address translation (DNAT) for translating and filtering the inbound traffic coming to our subnets. Using a NAT rule collection, you will be able to translate a public IP and port to a private IP and port. This is quite useful in publishing remote access protocols like SSH and RDP to the Internet.
To give an example, assume you have a Linux server with private IP address, say, 10.0.0.4, and the SSH server is available on port 22. Instead of exposing this port and IP to the Internet, you can create a NAT rule on the firewall. Using the public IP of the firewall and a random port, you can set up a NAT rule. Let’s assume that the public IP address of the firewall is 52.172.11.16; using NAT rule you can redirect all traffic hitting port 5000 of the firewall to be translated to 10.0.0.4 and port 22. In short, translate 52.172.11.16:5000 to 10.0.0.4:22. In this way, you can translate the public IP address and port to a private IP address and port.
The configuration of a NAT rule will require the following parameters:
- Name: Unique name given to identify the rule.
- Protocol: TCP or UDP.
- Source address: To define the source of the traffic. It can be Internet, IP CIDR blocks, or specific IP addresses.
- Destination address: External IP address of the firewall you want to inspect for traffic.
- Destination ports: The port on which the rule will listen.
- Translated address: This is going to be the IP address of the service such as a virtual machine, load balancer, etc.
- Translated port: The port to which firewall routes the traffic after translation.
Recapping the example, our destination address was the public IP of the firewall, and the destination port was 5000. Similarly, the translated address was the private IP address of the VM, and the translated port was 22.
Network Rules
A network rule should be in place for any non-HTTP/S traffic to be allowed through the firewall. For a source to communicate with a destination deployed behind a firewall, you need to have a network rule configured from the source to the destination. If there is no rule that specifically calls out this incoming traffic, then it will be dropped. Let’s take a look at the parameters that are required to set up a network rule; they will give you a better understanding.
- Name: Identifier to identify the rule.
- Protocol: TCP/UDP/ICMP/Any. Selecting will allow TCP, UDP, and ICMP.
- Source address: Address or CIDR block that represents the source.
- Destination addresses: Addresses or CIDR blocks that represent the source.
- Destination port: The destination port.
Looking at the parameters gives us a clear understanding of what you need to configure a network rule. If you take a closer look, you can see that we mentioned the source as the source address and destination as destination addresses. This means you have a sole source mapped to multiple destinations and have all of them in a single rule. Instead of writing so many rules, you can have a single rule that allows the traffic from a source to multiple destinations.
Leave a Reply