11.4 About Network Address Translation

Network Address Translation (NAT) assigns a public address to a computer or a group of computers inside a private network with a different address scheme. The public IP address masquerades all requests as going to one server rather than several servers. NAT is useful for limiting the number of public IP addresses that an organization must finance, and for providing extra security by hiding the details of internal networks.

The netfilter kernel subsystem provides the nat table to implement NAT in addition to its tables for packet filtering. The kernel consults the nat table whenever it handles a packet that creates a new incoming or outgoing connection.


If your want a system to be able to route packets between two of its network interfaces, you must turn on IP forwarding:

# echo 1 > /proc/sys/net/ipv4/ip_forward

The NAT table includes the following built-in rule chains:


Handles packets arriving from external networks.


Handles packets generated on the host system before sending them externally.


Handles packets arriving from local systems before sending them externally.

The NAT table has the following targets that can be used with the rule chains:


Alters the destination IP address and port of an incoming packet to route it to a different host.


Alters the source IP address and port on an outgoing packet so that it appears to come from a different host.


Masks the private IP address of a node with the external IP address of the firewall or gateway router.

The following example specifies that NAT should use the PREROUTING chain to forward incoming HTTP requests on the eth0 interface to port 8080 of the dedicated HTTP server The rule changes the destination address and port of the packet.

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
  -j DNAT --to

The following example allows nodes on the LAN with private IP addresses to communicate with external public networks:

# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

This rule makes requests from internal systems appear to originate from the IP address of the firewall’s external interface (eth1).

You can also use the Firewall Configuration GUI (system-config-firewall) to configure simple masquerading and port forwarding.

For more information, see the iptables(8) manual page.