Sometimes a NAT machine is created by iptables on Linux, such as an AWS NAT instance. If you are a network engineer who has experience in operating network devices such as routers and FWs, you will often want to check the connection status.
Use the netstat-nat command to check the NAT (NAPT / PAT) connection status even on Linux, likeshow xlate. netstat-nat command, not an option of netstat.
- Install netstat-nat
- netstat-natCommands
- Checking connections of NAT-Gateway
- Conclusion - Checking state of NAT connection on iptables (AWS NAT instance, etc.)
Install netstat-nat
The standard netstat does not show NAT connections with iptables.
# netstat -natu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 172.xx.x.x:22 xx.xxx.xx.xxx:61476 ESTABLISHED tcp 0 216 172.xx.x.x:22 xx.xxx.xx.xxx:61179 ESTABLISHED tcp 0 0 :::22 :::* LISTEN udp 0 0 0.0.0.0:68 0.0.0.0:* udp 0 0 172.xx.x.x:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:*
Install netstat-nat with yum. yum install epel-release if EPEL is not installed.
[root@ip-x-x-x-x ~]# yum install netstat-nat --enablerepo=epel Loaded plugins: priorities, update-motd, upgrade-helper amzn-main | 2.1 kB 00:00:00 amzn-updates | 2.5 kB 00:00:00 1060 packages excluded due to repository priority protections Resolving Dependencies --> Running transaction check ---> Package netstat-nat.x86_64 0:1.4.10-1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================ Package Arch Version Repository Size ================================================================ Installing: netstat-nat x86_64 1.4.10-1.el6 epel 22 k Transaction Summary ================================================================ Install 1 Package Total download size: 22 k Installed size: 45 k Is this ok [y/d/N]: y Downloading packages: warning: /var/cache/yum/x86_64/latest/epel/packages/netstat-nat-1.4.10-1.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY Public key for netstat-nat-1.4.10-1.el6.x86_64.rpm is not installed netstat-nat-1.4.10-1.el6.x86_64.rpm | 22 kB 00:00:00 Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 Importing GPG key 0x0608B895: Userid : "EPEL (6) <epel@fedoraproject.org>" Fingerprint: 8c3b e96a f230 9184 da5c 0dae 3b49 df2a 0608 b895 Package : epel-release-6-8.9.amzn1.noarch (installed) From : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 Is this ok [y/N]: y Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : netstat-nat-1.4.10-1.el6.x86_64 1/1 Verifying : netstat-nat-1.4.10-1.el6.x86_64 1/1 Installed: netstat-nat.x86_64 0:1.4.10-1.el6 Complete!
netstat-natCommands
Details of netstat-nat are here:
https://www.tweegy.nl/projects/netstat-nat/
# netstat-nat --help
netstat-nat: invalid option -- '-'
args: -h: displays this help
-n: don't resolve host/portnames
-p <protocol> : display connections by protocol
-s <source-host> : display connections by source
-d <destination-host>: display connections by destination
-S: display SNAT connections
-D: display DNAT connections (default: SNAT & DNAT)
-L: display only connections to NAT box itself (doesn't show SNAT & DNAT)
-R: display only connections routed through the NAT box (doesn't show SNAT & DNAT)
-x: extended hostnames view
-r src | dst | src-port | dst-port | state : sort connections
-o: strip output header
-N: display NAT box connection information (only valid with SNAT & DNAT)
-v: print version
netstat-nat [-S|-D|-L|-R] [-no]
netstat-nat [-nxo]
Use the -n option to disable DNS name resolution, and use the -N option to display the translated and mapped IP address: port number by NAT instance.
When confirming while communicating, it can be confirmed that the state transitions as follows.
192.168.0.10: Internal instance,172.16.0.10: NAT instance.
# netstat-nat -nN Proto NATed Address NAT-host Address Destination Address State tcp 192.168.0.10:51258 172.16.0.10:51258 93.184.216.34:443 ESTABLISHED tcp 192.168.0.10:51330 172.16.0.10:51330 93.184.216.34:443 SYN_SENT tcp 192.168.0.10:51278 172.16.0.10:51278 93.184.216.34:443 CLOSE # netstat-nat -nN Proto NATed Address NAT-host Address Destination Address State tcp 192.168.0.10:51258 172.16.0.10:51258 93.184.216.34:443 CLOSE tcp 192.168.0.10:51330 172.16.0.10:51330 93.184.216.34:443 ESTABLISHED tcp 192.168.0.10:51278 172.16.0.10:51278 93.184.216.34:443 CLOSE # netstat-nat -nN Proto NATed Address NAT-host Address Destination Address State tcp 192.168.0.10:51258 172.16.0.10:51258 93.184.216.34:443 CLOSE tcp 192.168.0.10:51330 172.16.0.10:51330 93.184.216.34:443 CLOSE tcp 192.168.0.10:51278 172.16.0.10:51278 93.184.216.34:443 CLOSE
Checking connections of NAT-Gateway
If you use a NAT gateway instead of a NAT instance, you can check the status from Cloud Watch. NAT gateways may have more operational and performance benefits.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway-cloudwatch.html
Conclusion - Checking state of NAT connection on iptables (AWS NAT instance, etc.)
By using the netstat-nat command, I was able to check the status of NAT (NAPT / PAT) connections with iptables on Linux (AWS NAT instance).
