NAT
Used to modify the source or destination address of packets as they pass through.
Chains
PREROUTING
Engaged for incoming packets before any routing decision is made, suitable for DNAT.
POSTROUTING
Activated for outgoing packets after all routing decisions have been made, ideal for SNAT and masquerading.
OUTPUT
Applied to locally generated packets before they are sent out, allowing for DNAT on outgoing traffic.
Actions
DNAT
Modifies the destination address (and optionally the port) of incoming packets.
Primarily used with PREROUTING and OUPUT to redirect to IP or Post
Uses: Portforwarding, load balancing, or directing traffic to internal servers that are hidden behind a firewall or NAT device.
SNAT
Changes the source address (and optionally the port) of outgoing packets.
Used in POSTROUTING to alter the packet's source address for outgoing packets.
Crucial for scenarios where multiple private IP addresses need to be masqueraded as a single public IP address.
MASQUERADE
Special form of SNAT for dynamically assigned IPs, such as those found with DHCP.
Automatically uses the current IP of the outgoing network interface, eliminating the need to specify a specific IP address.
Useful for connections with dynamic external IPs.
REDIRECT
Alters the destination port or address to the local machine.
Typically used in the PREROUTING and OUTPUT for transparent proxying, where the packet's destination is modified to redirect the traffic to a local service without changing the packet's destination IP.
RETURN
Stops processing in the current chain and returns to the previous chain from which the packet came.
Not specific to NAT operations.
Can be used within user-defined chains in the "nat" table to halt processing and allow the packet to be evaluated against the subsequent rules in the original chain.
Examples by Chain
PREROUTING
Port forwarding to a Local Server:
Redirects traffic destined for a specific port on the public interface to a different port on a private server behind the firewall.
Masquerading:
Translates the private addresses of internal machines behind the firewall to the public IP of the firewall for outgoing traffic.
Load balancing:
Distributes traffic across multiple internal servers by redirecting requests to different ports based on a specific criteria.
Redirecting All Incoming Traffic to a Specific Port
Transparent Proxy:
If you're running a proxy server on your network (e.g., Squid running on port 3128), you can redirect all outgoing HTTP traffic to go through the proxy without configuring each client.
This example assumes the proxy server is on the same machine where iptables is being configured.
POSTROUTING
Masquerading Outgoing Traffic:
Masquerading Based on Source IP:
Masquerading Based on Destination:
SNAT Translates the private IPs of internal machines behind the firewall to a specific public IP when they initiate outgoing connections
All internal IPs:
--to-source 10.0.0.1 Specifies the new source IP address for outgoing packets.
SNAT with Multiple IPs:
Port masking:
Network Address Translation (NAT) Hairpinning:
Allows internal servers to access resources hosted on other internal servers while using their private IP addresses, even though they share the same public IP.
Outbound traffic filtering:
OUTPUT
While the OUTPUT chain in the iptables NAT table exists, it is generally not recommended to use it for NAT operations.
Limited Functionality:
Compared to PREROUTING and POSTROUTING, OUTPUT has limited NAT capabilities.
It can only perform Destination NAT (DNAT), modifying the destination address of outgoing packets.
It cannot manipulate source addresses or perform other NAT operations like masquerading.
Redundancy:
The functionalities achievable with OUTPUT chain DNAT can often be achieved more efficiently and transparently through other chains:
For local server DNAT: Use PREROUTING chain DNAT, as it directly affects incoming packets heading to your server.
For masquerading: Use POSTROUTING chain SNAT, which automatically translates private addresses for all outgoing traffic.
Potential Risks: Modifying outbound packets within the OUTPUT chain can sometimes create unexpected behavior or interfere with applications.
However, for educational purposes, here's an example of using OUTPUT chain DNAT:
Examples by Action
DNAT
PREROUTING:
Port forwarding: Redirects traffic destined for a public port to a different port on a private server:
Port forwarding: Redirecting all incoming HTTP traffic to a different server.
Load balancing: This rule distributes traffic across multiple internal servers based on source IP range:
Transparent proxy: This rule redirects all traffic to a transparent proxy server:
Forwarding Traffic to a VPN or Proxy Server:
POSTROUTING:
Hairpinning: This rule allows internal servers to access each other using private IPs:
Masquerading: This rule translates private addresses to a public IP for outgoing traffic:
SNAT
POSTROUTING:
Masquerading all outgoing traffic: This translates all private IPs from your internal network to a single public IP when leaving the network.
SNAT specific internal subnet: Translate addresses from a specific subnet to a different public IP.
Port-specific SNAT: Translate the source IP only for specific ports (e.g., for outbound gaming traffic).
SNAT with Multiple Public IP Addresses: If your gateway has multiple public IP addresses, you can use SNAT to distribute outgoing traffic across these IPs.
SNAT for Specific Services: Change the source IP for specified service by port.
Change source IP of outgoing packets from the 10.10.10.0/24 network to 192.168.1.1:
Translates the private IPs of internal machines behind the firewall to a specific public IP when they initiate outgoing connections
All internal IPs:
--to-source 203.0.113.5 Specifies the new source IP for outgoing packets.
SNAT with Multiple IPs:
Network Address Translation (NAT) Hairpinning:
Allows internal servers to access resources hosted on other internal servers while using their private IP addresses, even though they share the same public IP.
PREROUTING:
SNAT incoming traffic for specific destination: Change the source IP of incoming traffic destined for a specific server.
MASQUERADE
Masquerading a private network's outgoing traffic to match the public IP of the router, especially when the router's IP is assigned dynamically.
POSTROUTING:
Masquerading all outgoing traffic: This is the most common scenario, translating all private IP addresses from your internal network to the public IP of the firewall.
Masquerading specific internal subnet: You can restrict masquerading to a specific subnet within your internal network.
Masquerading Based on Source IP:
Masquerading Based on Destination:
Port masking:
PREROUTING:
Masquerading incoming traffic for specific destination: This is less common but possible.
It translates the source IP of incoming traffic destined for a specific server on your network to the masquerade IP.
REDIRECT
PREROUTING:
Forwarding external traffic to an internal server: Redirect traffic destined for a specific public port to a different port on an internal server.
Redirect all incoming traffic on port 80 to port 8080 on the local machine. (useful for transparent proxy)
Redirecting DNS Queries to a Local DNS Server
Redirecting traffic to port:
Redirecting Traffic for Multiple Ports:
Creating a Transparent SOCKS Proxy
If you have a SOCKS proxy running on port 1080 and you want to redirect specific outbound traffic to this proxy transparently, you could use the following setup.
Note that additional configuration on the SOCKS proxy might be required to handle the redirected traffic properly:
Load balancing across internal servers: Distribute incoming traffic based on source IP or other criteria by redirecting to different ports on different servers.
POSTROUTING:
Redirect outbound traffic to a local proxy server: This is less common but possible.
Localhost Traffic Redirection:
Redirecting to a Different Service Based on Source IP:
Last updated
Was this helpful?