NAT
Used to modify the source or destination address of packets as they pass through.
Chains
PREROUTING
Engaged for incoming packets before any routing decision is made, suitable for DNAT.
POSTROUTING
Activated for outgoing packets after all routing decisions have been made, ideal for SNAT and masquerading.
OUTPUT
Applied to locally generated packets before they are sent out, allowing for DNAT on outgoing traffic.
Actions
DNAT
Modifies the destination address (and optionally the port) of incoming packets.
Primarily used with PREROUTING and OUPUT to redirect to IP or Post
Uses: Portforwarding, load balancing, or directing traffic to internal servers that are hidden behind a firewall or NAT device.
SNAT
Changes the source address (and optionally the port) of outgoing packets.
Used in POSTROUTING to alter the packet's source address for outgoing packets.
Crucial for scenarios where multiple private IP addresses need to be masqueraded as a single public IP address.
MASQUERADE
Special form of SNAT for dynamically assigned IPs, such as those found with DHCP.
Automatically uses the current IP of the outgoing network interface, eliminating the need to specify a specific IP address.
Useful for connections with dynamic external IPs.
REDIRECT
Alters the destination port or address to the local machine.
Typically used in the PREROUTING and OUTPUT for transparent proxying, where the packet's destination is modified to redirect the traffic to a local service without changing the packet's destination IP.
RETURN
Stops processing in the current chain and returns to the previous chain from which the packet came.
Not specific to NAT operations.
Can be used within user-defined chains in the "nat" table to halt processing and allow the packet to be evaluated against the subsequent rules in the original chain.
Examples by Chain
PREROUTING
Port forwarding to a Local Server:
Redirects traffic destined for a specific port on the public interface to a different port on a private server behind the firewall.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:8080
Masquerading:
Translates the private addresses of internal machines behind the firewall to the public IP of the firewall for outgoing traffic.
iptables -t nat -A PREROUTING -o eth0 -j MASQUERADE
Load balancing:
Distributes traffic across multiple internal servers by redirecting requests to different ports based on a specific criteria.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m iprange --src-range 192.168.1.0/24 -j DNAT --to-destination 192.168.1.10:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m iprange --src-range 192.168.1.128/24 -j DNAT --to-destination 192.168.1.20:80
Redirecting All Incoming Traffic to a Specific Port
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 80
Transparent Proxy:
If you're running a proxy server on your network (e.g., Squid running on port 3128), you can redirect all outgoing HTTP traffic to go through the proxy without configuring each client.
This example assumes the proxy server is on the same machine where iptables is being configured.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
POSTROUTING
Masquerading Outgoing Traffic:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Masquerading Based on Source IP:
iptables -t nat -A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE
Masquerading Based on Destination:
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.2.0/24 -j MASQUERADE
SNAT Translates the private IPs of internal machines behind the firewall to a specific public IP when they initiate outgoing connections
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 10.0.0.1
All internal IPs:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.0.0.1
--to-source 10.0.0.1
Specifies the new source IP address for outgoing packets.
SNAT with Multiple IPs:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.5-203.0.113.10
Port masking:
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 80 -j MASQUERADE
Network Address Translation (NAT) Hairpinning:
Allows internal servers to access resources hosted on other internal servers while using their private IP addresses, even though they share the same public IP.
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.1.0/24 -j SNAT --to-source 10.0.0.1
Outbound traffic filtering:
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.2.0/24 -p tcp --dport 25 -j DROP
OUTPUT
While the OUTPUT chain in the iptables NAT table exists, it is generally not recommended to use it for NAT operations.
Limited Functionality:
Compared to PREROUTING and POSTROUTING, OUTPUT has limited NAT capabilities.
It can only perform Destination NAT (DNAT), modifying the destination address of outgoing packets.
It cannot manipulate source addresses or perform other NAT operations like masquerading.
Redundancy:
The functionalities achievable with OUTPUT chain DNAT can often be achieved more efficiently and transparently through other chains:
For local server DNAT: Use PREROUTING chain DNAT, as it directly affects incoming packets heading to your server.
For masquerading: Use POSTROUTING chain SNAT, which automatically translates private addresses for all outgoing traffic.
Potential Risks: Modifying outbound packets within the OUTPUT chain can sometimes create unexpected behavior or interfere with applications.
However, for educational purposes, here's an example of using OUTPUT chain DNAT:
iptables -t nat -A OUTPUT -p tcp --dport 80 -d google.com -j DNAT --to-destination 192.168.1.10:80
Examples by Action
DNAT
PREROUTING:
Port forwarding: Redirects traffic destined for a public port to a different port on a private server:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:8080
Port forwarding: Redirecting all incoming HTTP traffic to a different server.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:8080
Load balancing: This rule distributes traffic across multiple internal servers based on source IP range:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m iprange --src-range 192.168.1.0/24 -j DNAT --to-destination 192.168.1.10:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m iprange --src-range 192.168.1.128/24 -j DNAT --to-destination 192.168.1.20:80
Transparent proxy: This rule redirects all traffic to a transparent proxy server:
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 192.168.1.25:8080
Forwarding Traffic to a VPN or Proxy Server:
iptables -t nat -A PREROUTING -d 203.0.113.5 -j DNAT --to-destination 10.8.0.1
POSTROUTING:
Hairpinning: This rule allows internal servers to access each other using private IPs:
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.1.0/24 -j DNAT --to-source 10.0.0.1
Masquerading: This rule translates private addresses to a public IP for outgoing traffic:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-s
SNAT
POSTROUTING:
Masquerading all outgoing traffic: This translates all private IPs from your internal network to a single public IP when leaving the network.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.0.0.1
SNAT specific internal subnet: Translate addresses from a specific subnet to a different public IP.
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -j SNAT --to-source 10.0.0.2
Port-specific SNAT: Translate the source IP only for specific ports (e.g., for outbound gaming traffic).
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 27015 -j SNAT --to-source 10.0.0.3
SNAT with Multiple Public IP Addresses: If your gateway has multiple public IP addresses, you can use SNAT to distribute outgoing traffic across these IPs.
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 203.0.113.3-203.0.113.4
SNAT for Specific Services: Change the source IP for specified service by port.
iptables -t nat -A POSTROUTING -p tcp --dport 80 -o eth0 -j SNAT --to-source 203.0.113.5
Change source IP of outgoing packets from the 10.10.10.0/24 network to 192.168.1.1:
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j SNAT --to-source 192.168.1.1
Translates the private IPs of internal machines behind the firewall to a specific public IP when they initiate outgoing connections
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j SNAT --to-source 10.0.0.1
All internal IPs:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.5
--to-source 203.0.113.5
Specifies the new source IP for outgoing packets.
SNAT with Multiple IPs:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.5-203.0.113.10
Network Address Translation (NAT) Hairpinning:
Allows internal servers to access resources hosted on other internal servers while using their private IP addresses, even though they share the same public IP.
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.1.0/24 -j SNAT --to-source 10.0.0.1
PREROUTING:
SNAT incoming traffic for specific destination: Change the source IP of incoming traffic destined for a specific server.
iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.20 -j SNAT --to-source 10.0.0.4
MASQUERADE
Masquerading a private network's outgoing traffic to match the public IP of the router, especially when the router's IP is assigned dynamically.
POSTROUTING:
Masquerading all outgoing traffic: This is the most common scenario, translating all private IP addresses from your internal network to the public IP of the firewall.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Masquerading specific internal subnet: You can restrict masquerading to a specific subnet within your internal network.
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -j MASQUERADE
Masquerading Based on Source IP:
iptables -t nat -A POSTROUTING -s 10.10.1.0/24 -o eth0 -j MASQUERADE
Masquerading Based on Destination:
iptables -t nat -A POSTROUTING -o eth0 -d 192.168.2.0/24 -j MASQUERADE
Port masking:
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 80 -j MASQUERADE
PREROUTING:
Masquerading incoming traffic for specific destination: This is less common but possible.
It translates the source IP of incoming traffic destined for a specific server on your network to the masquerade IP.
iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.20 -j MASQUERADE
REDIRECT
PREROUTING:
Forwarding external traffic to an internal server: Redirect traffic destined for a specific public port to a different port on an internal server.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-destination 192.168.1.10:8080
Redirect all incoming traffic on port 80 to port 8080 on the local machine. (useful for transparent proxy)
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
Redirecting DNS Queries to a Local DNS Server
iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-port 5353
Redirecting traffic to port:
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
Redirecting Traffic for Multiple Ports:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 9999
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 9999
Creating a Transparent SOCKS Proxy
If you have a SOCKS proxy running on port 1080 and you want to redirect specific outbound traffic to this proxy transparently, you could use the following setup.
Note that additional configuration on the SOCKS proxy might be required to handle the redirected traffic properly:
iptables -t nat -A PREROUTING -p tcp -d 192.168.100.0/24 -j REDIRECT --to-port 1080
Load balancing across internal servers: Distribute incoming traffic based on source IP or other criteria by redirecting to different ports on different servers.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m iprange --src-range 192.168.1.0/24 -j REDIRECT --to-destination 192.168.1.10:8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m iprange --src-range 192.168.1.128/24 -j REDIRECT --to-destination 192.168.1.20:8080
POSTROUTING:
Redirect outbound traffic to a local proxy server: This is less common but possible.
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 80 -j REDIRECT --to-destination 192.168.1.25:8080
Localhost Traffic Redirection:
iptables -t nat -A OUTPUT -p tcp --dport 80 -o lo -j REDIRECT --to-port 8080
Redirecting to a Different Service Based on Source IP:
iptables -t nat -A PREROUTING -s 192.168.1.100 -p tcp --dport 80 -j REDIRECT --to-port 8080
Last updated
Was this helpful?