NAT with Netfilter

Requirements

enable forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

#echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
#sysctl -p

#rhel7/centos7
#echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/ip_forward.conf
#sysctl -p

With iptables front-end

SNAT a static IP

iptables -t nat -A POSTROUTING -o INTERNAL-DEVICE -s INTERNAL/CIDR -j SNAT --to-source FACING-IP

SNAT a changing IP

iptables -t nat -A POSTROUTING -o INTERNAL-DEVICE -s INTERNAL/CIDR -j MASQUERADE

eventually force it through the system firewall

#iptables -P FORWARD ACCEPT
#iptables -A INPUT -i ens2 -s 10.8.8.0/24 -j ACCEPT
#iptables -A OUTPUT -o ens2 -d 10.8.8.0/24 -j ACCEPT

With firewalld front-end

tested with RHEL/CentOS 7

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o EXTERNAL_NETIF -j MASQUERADE -s INTERNAL_IP/PREFIX
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -i INTERNAL_NETIF -j ACCEPT
firewall-cmd --reload

Resources

New iptables Gotchas - SNAT VS MASQUERADE https://terrywang.net/2016/02/02/new-iptables-gotchas.html

Difference between SNAT and Masquerade https://unix.stackexchange.com/questions/21967/difference-between-snat-and-masquerade


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml