Skip to main content

NAT routing with iptables

· 7 min read
Moazzem Hossen


iptables is a powerful firewall management tool for Linux-based systems. It allows you to control incoming and outgoing network traffic, making it a vital component for securing and managing your server or network. Here's a quick overview of what you need to know:

Key Concepts

  • Rules: iptables operates using a set of predefined rules. Each rule defines how packets should be handled, including whether to allow, deny, or modify them.

  • Tables: iptables has three main tables: filter, nat, and mangle. Each table is responsible for different types of packet manipulation.

  • Chains: Within each table, there are chains like INPUT, OUTPUT, and FORWARD, which specify when the rules should be applied.

Basic Operations

  • Allow Incoming Traffic: To allow incoming traffic on a specific port (e.g., port 80 for HTTP):

    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  • Block Incoming Traffic: To block incoming traffic on a specific port:

    iptables -A INPUT -p tcp --dport 22 -j DROP
  • Port Forwarding: Redirect incoming traffic on a specific port to an internal IP and port:

    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination [internal-ip]:[internal-port]

Save and Restore Rules

  • Save Rules: To save your iptables rules so they persist across reboots:

    sudo iptables-save > /etc/iptables/rules.v4
  • Restore Rules: To load saved rules:

    sudo iptables-restore < /etc/iptables/rules.v4

Additional Modules

  • iptables can be extended with additional modules like iptables-persistent for automatic rule loading at boot or iptables-persistent6 for IPv6.

  • You can also use graphical frontends like ufw (Uncomplicated Firewall) or firewalld for easier rule management.

NAT Routing

Understanding Network Address Translation (NAT) is crucial in the realm of networking. It allows the modification of network address information in packet headers while in transit. iptables provides a robust platform for configuring NAT on Linux systems. This guide delves into various NAT operations using iptables, guiding you from basic to advanced configurations.

Understanding NAT Types

  • SNAT (Source NAT): Alters the source address of outbound packets. Ideal for changing the sender's address, especially for traffic leaving your network.
  • DNAT (Destination NAT): Changes the destination address of inbound packets. Used for redirecting incoming traffic to a specific internal host/port.
  • MASQUERADE: A special SNAT type useful for dynamic IP addresses, like those from DHCP.

Setting Up for NAT

Ensure your system is ready for NAT configurations:

  1. Enable IP Forwarding: This allows your Linux system to forward packets between interfaces.

    sudo sysctl -w net.ipv4.ip_forward=1
  2. Activate the New Settings: Make the changes effective immediately.

    sudo sysctl -p

Implementing NAT Rules

Source NAT (SNAT)

Change the source IP of outgoing traffic:

  • Basic SNAT: Modify the source IP for traffic exiting a specific interface.

    sudo iptables -t nat -A POSTROUTING -s [source-ip] -o [out-interface] -j SNAT --to-source [new-source-ip]

Destination NAT (DNAT)

Redirect incoming traffic to a different internal host/port:

  • Port Forwarding: Redirect traffic hitting your public IP on a specific port to an internal IP and port.

    sudo iptables -t nat -A PREROUTING -p tcp --dport [public-port] -j DNAT --to-destination [internal-ip]:[internal-port]


Dynamic IP handling, ideal for home routers or DHCP clients:

  • Internet Connection Sharing: Allow internal network clients to access the Internet through your Linux gateway.

    sudo iptables -t nat -A POSTROUTING -o [out-interface] -j MASQUERADE

Whether it's sharing an internet connection or setting up a secure internal network, iptables NAT functionality is a powerful tool in network configuration.

The MASQUERADE target in iptables is a specialized form of Source NAT (SNAT) designed for situations where your outbound interface has a dynamically assigned IP address, such as those obtained via DHCP. This is commonly used in scenarios like home networks, where your router/gateway receives a dynamic IP from your ISP.

  • Why MASQUERADE? In traditional SNAT, the new source IP is fixed and explicitly specified in the rule. However, if your gateway's external IP address is dynamically assigned and can change (like in residential broadband connections), setting up a standard SNAT rule with a fixed IP is impractical. MASQUERADE automatically handles this by using the current IP of the outgoing interface as the source IP for NAT.

  • How it works: When MASQUERADE is applied, it dynamically alters the source IP of outbound packets to match the IP of the interface they're leaving from. If that interface's IP changes over time (as is the case with dynamic IPs), MASQUERADE adapts and uses the new IP automatically, without needing any rule updates.

  • Common Use Case - Internet Sharing: A typical use case for MASQUERADE is in a Linux-based home router or gateway, where the internal network needs to access the internet, but the external IP of the router is not static. By applying MASQUERADE to the outbound traffic, all internal clients can seamlessly access external networks through the gateway, regardless of changes in the gateway's external IP.

  • MASQUERADE Example: To enable MASQUERADE for outbound traffic on a dynamically assigned external interface (e.g., eth0):

    sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This rule tells the system: "For all outbound packets on eth0, change their source IP to match eth0's current IP." It's an essential tool for managing NAT in dynamic IP environments and is widely used in both home and small business networks.

In iptables, the terms POSTROUTING and PREROUTING refer to specific chains within the NAT (Network Address Translation) table. These chains are crucial for manipulating packets as they enter and leave the network system, especially in routing and forwarding scenarios. Here's a brief explanation of these and other similar chains:

  • PREROUTING: This chain is used for altering incoming packets before they are routed. It's often used for redirecting incoming traffic to different destinations within your local network through DNAT (Destination Network Address Translation).

  • POSTROUTING: This chain is used for modifying packets after they have been routed. It's commonly used for masquerading (a form of source NAT), where the source IP addresses are changed to the firewall's IP address as they leave the network.

In addition to these, there are other chains in the NAT table and other tables of iptables. While PREROUTING and POSTROUTING are specific to the NAT table, there are equivalent chains in other tables for different purposes:

  • INPUT: Found in the filter table, it's used to control the behavior of incoming packets destined for the local system.

  • OUTPUT: Also in the filter table, this chain is for packets generated by the local system and going out.

  • FORWARD: Part of the filter table, it's used for packets that are routed through the local system, useful in scenarios where your system is acting as a router.

  • MANGLE: This is a table in itself and is used for specialized packet alteration. It has chains like PREROUTING, OUTPUT, etc., similar to the NAT table but for different packet manipulation purposes.

Understanding these chains and tables is essential for effective network management and security using iptables. Each serves a unique role in how packets are processed and routed through your system.