NAT with legacy Netfilter

Requirements

#sysctl net.ipv4.ip_forward=1
#echo 1 > /proc/sys/net/ipv4/ip_forward

echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
sysctl -p

SNAT

for a static front-facing IP

iptables -t nat -A POSTROUTING -o FACING-NIC -s INTERNAL-CIDR -j SNAT --to-source FACING-IP

for a dynamic front-facing IP

iptables -t nat -A POSTROUTING -o FACING-NIC -s INTERNAL-CIDR -j MASQUERADE

DNAT

iptables -t nat -A PREROUTING -i FACING-NIC -p tcp --dport XX -j DNAT --to-destination INTERNAL-IP:XX

Additional notes

eventually force it through the system firewall

#iptables -P FORWARD ACCEPT
#iptables -A INPUT -i ens2 -s 10.8.8.0/24 -j ACCEPT
#iptables -A OUTPUT -o ens2 -d 10.8.8.0/24 -j ACCEPT

Resources

New iptables Gotchas - SNAT VS MASQUERADE https://terrywang.net/2016/02/02/new-iptables-gotchas.html

Difference between SNAT and Masquerade https://unix.stackexchange.com/questions/21967/difference-between-snat-and-masquerade

dnat

https://serverfault.com/questions/586486/how-to-do-the-port-forwarding-from-one-ip-to-another-ip-in-same-network

https://serverfault.com/questions/1090892/linux-make-traffic-from-same-host-appear-to-come-from-different-ip-addresses


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun