designetwork(EN)

IT technical memo of networking

Checking state of NAT connection on iptables (AWS NAT instance, etc.)

f:id:daichi703n:20190309144649p:plain

Sometimes a NAT machine is created by iptables on Linux, such as an AWS NAT instance. If you are a network engineer who has experience in operating network devices such as routers and FWs, you will often want to check the connection status.

Use the netstat-nat command to check the NAT (NAPT / PAT) connection status even on Linux, likeshow xlate. netstat-nat command, not an option of netstat.

Install netstat-nat

The standard netstat does not show NAT connections with iptables.

# netstat -natu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 172.xx.x.x:22               xx.xxx.xx.xxx:61476         ESTABLISHED
tcp        0    216 172.xx.x.x:22               xx.xxx.xx.xxx:61179         ESTABLISHED
tcp        0      0 :::22                       :::*                        LISTEN
udp        0      0 0.0.0.0:68                  0.0.0.0:*
udp        0      0 172.xx.x.x:123              0.0.0.0:*
udp        0      0 127.0.0.1:123               0.0.0.0:*
udp        0      0 0.0.0.0:123                 0.0.0.0:*

Install netstat-nat with yum. yum install epel-release if EPEL is not installed.

[root@ip-x-x-x-x ~]# yum install netstat-nat --enablerepo=epel
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main                                     | 2.1 kB  00:00:00
amzn-updates                                  | 2.5 kB  00:00:00
1060 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package netstat-nat.x86_64 0:1.4.10-1.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================
 Package              Arch     Version        Repository   Size
================================================================
Installing:
 netstat-nat          x86_64   1.4.10-1.el6   epel         22 k

Transaction Summary
================================================================
Install  1 Package

Total download size: 22 k
Installed size: 45 k
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/latest/epel/packages/netstat-nat-1.4.10-1.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 0608b895: NOKEY
Public key for netstat-nat-1.4.10-1.el6.x86_64.rpm is not installed
netstat-nat-1.4.10-1.el6.x86_64.rpm                |  22 kB  00:00:00
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Importing GPG key 0x0608B895:
 Userid     : "EPEL (6) <epel@fedoraproject.org>"
 Fingerprint: 8c3b e96a f230 9184 da5c 0dae 3b49 df2a 0608 b895
 Package    : epel-release-6-8.9.amzn1.noarch (installed)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : netstat-nat-1.4.10-1.el6.x86_64                                                                   1/1
  Verifying  : netstat-nat-1.4.10-1.el6.x86_64                                                                   1/1

Installed:
  netstat-nat.x86_64 0:1.4.10-1.el6

Complete!

netstat-natCommands

Details of netstat-nat are here:

https://www.tweegy.nl/projects/netstat-nat/

# netstat-nat --help
netstat-nat: invalid option -- '-'
args: -h: displays this help
      -n: don't resolve host/portnames
      -p <protocol>        : display connections by protocol
      -s <source-host>     : display connections by source
      -d <destination-host>: display connections by destination
      -S: display SNAT connections
      -D: display DNAT connections (default: SNAT & DNAT)
      -L: display only connections to NAT box itself (doesn't show SNAT & DNAT)
      -R: display only connections routed through the NAT box (doesn't show SNAT & DNAT)
      -x: extended hostnames view
      -r src | dst | src-port | dst-port | state : sort connections
      -o: strip output header
      -N: display NAT box connection information (only valid with SNAT & DNAT)
      -v: print version

      netstat-nat [-S|-D|-L|-R] [-no]
      netstat-nat [-nxo]

Use the -n option to disable DNS name resolution, and use the -N option to display the translated and mapped IP address: port number by NAT instance.

When confirming while communicating, it can be confirmed that the state transitions as follows.
192.168.0.10: Internal instance,172.16.0.10: NAT instance.

# netstat-nat -nN
Proto NATed Address        NAT-host Address    Destination Address    State
tcp   192.168.0.10:51258    172.16.0.10:51258    93.184.216.34:443      ESTABLISHED
tcp   192.168.0.10:51330    172.16.0.10:51330    93.184.216.34:443      SYN_SENT   
tcp   192.168.0.10:51278    172.16.0.10:51278    93.184.216.34:443      CLOSE      

# netstat-nat -nN
Proto NATed Address        NAT-host Address    Destination Address    State
tcp   192.168.0.10:51258    172.16.0.10:51258    93.184.216.34:443      CLOSE      
tcp   192.168.0.10:51330    172.16.0.10:51330    93.184.216.34:443      ESTABLISHED
tcp   192.168.0.10:51278    172.16.0.10:51278    93.184.216.34:443      CLOSE      

# netstat-nat -nN
Proto NATed Address        NAT-host Address    Destination Address    State
tcp   192.168.0.10:51258    172.16.0.10:51258    93.184.216.34:443      CLOSE      
tcp   192.168.0.10:51330    172.16.0.10:51330    93.184.216.34:443      CLOSE      
tcp   192.168.0.10:51278    172.16.0.10:51278    93.184.216.34:443      CLOSE

Checking connections of NAT-Gateway

If you use a NAT gateway instead of a NAT instance, you can check the status from Cloud Watch. NAT gateways may have more operational and performance benefits.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway-cloudwatch.html

Conclusion - Checking state of NAT connection on iptables (AWS NAT instance, etc.)

By using the netstat-nat command, I was able to check the status of NAT (NAPT / PAT) connections with iptables on Linux (AWS NAT instance).


This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.

designetwork