Master iptables NAT: Port Forwarding Between Internal Devices and External Networks
This guide explains how to configure Linux iptables NAT to forward traffic from an external network to multiple internal devices, covering the underlying PREROUTING/DNAT and POSTROUTING/SNAT mechanisms, step‑by‑step command examples, testing procedures, and best‑practice tips.
Background
In many LAN environments a single gateway server connects internal devices (web, FTP, SSH, Telnet, etc.) to the external network. To allow external hosts to reach those services, the gateway must forward traffic to the appropriate internal IP and port.
The article uses a topology where the gateway has two NICs (eth0 for the external side, eth1 for the internal side) and demonstrates how to expose services on devices behind the gateway via distinct external ports (e.g., 8081 → device 1 web, 2321 → device 1 telnet).
Principle
Linux iptables provides NAT tables that can modify packet addresses. The NAT table contains three built‑in chains:
PREROUTING : applies DNAT (destination NAT) to incoming packets before routing.
POSTROUTING : applies SNAT (source NAT) to packets leaving the host after routing.
OUTPUT : handles locally generated packets.
A packet typically passes through PREROUTING (DNAT), the routing decision, then POSTROUTING (SNAT). The article includes diagrams of the NAT flow and the full netfilter architecture.
Implementation
By default Linux disables packet forwarding. Enable it with: echo "1" > /proc/sys/net/ipv4/ip_forward To make the change persistent, add net.ipv4.ip_forward=1 to /etc/sysctl.conf or place the echo command in a startup script.
Example iptables rules for two devices (IP 100.100.100.101 and 100.100.100.102) are:
# Device 1 telnet service</code><code>iptables -t nat -A PREROUTING -i eth0 -d 172.18.44.44 -p tcp --dport 2321 -j DNAT --to 100.100.100.101:23</code><code>iptables -t nat -A POSTROUTING -o eth1 -d 100.100.100.101 -p tcp --dport 23 -j SNAT --to 100.100.100.44</code><code># Device 2 telnet service</code><code>iptables -t nat -A PREROUTING -i eth0 -d 172.18.44.44 -p tcp --dport 2322 -j DNAT --to 100.100.100.102:23</code><code>iptables -t nat -A POSTROUTING -o eth1 -d 100.100.100.102 -p tcp --dport 23 -j SNAT --to 100.100.100.44</code><code># Device 1 web service</code><code>iptables -t nat -A PREROUTING -i eth0 -d 172.18.44.44 -p tcp --dport 8081 -j DNAT --to 100.100.100.101:80</code><code>iptables -t nat -A POSTROUTING -o eth1 -d 100.100.100.101 -p tcp --dport 80 -j SNAT --to 100.100.100.44</code><code># Device 2 web service</code><code>iptables -t nat -A PREROUTING -i eth0 -d 172.18.44.44 -p tcp --dport 8082 -j DNAT --to 100.100.100.102:80</code><code>iptables -t nat -A POSTROUTING -o eth1 -d 100.100.100.102 -p tcp --dport 80 -j SNAT --to 100.100.100.44The first rule in each pair performs DNAT on the incoming packet, changing its destination to the target device. The second rule performs SNAT, rewriting the source address so the reply is routed back through the gateway.
A simplified rule set merges DNAT entries for both telnet and web services and uses a single SNAT rule for the whole internal subnet:
# Telnet and web DNAT</code><code>iptables -t nat -A PREROUTING -i eth0 -d 172.18.44.44 -p tcp --dport 2321 -j DNAT --to 100.100.100.101:23</code><code>iptables -t nat -A PREROUTING -i eth0 -d 172.18.44.44 -p tcp --dport 8081 -j DNAT --to 100.100.100.101:80</code><code>iptables -t nat -A PREROUTING -i eth0 -d 172.18.44.44 -p tcp --dport 2322 -j DNAT --to 100.100.100.102:23</code><code>iptables -t nat -A PREROUTING -i eth0 -d 172.18.44.44 -p tcp --dport 8082 -j DNAT --to 100.100.100.102:80</code><code># Subnet SNAT</code><code>iptables -t nat -A POSTROUTING -o eth1 -d 100.100.100.0/24 -j SNAT --to 100.100.100.44Testing
On the gateway, the routing table shows two interfaces with distinct subnets:
Kernel IP routing table</code><code>Destination Gateway Genmask Flags Metric Ref Use Iface</code><code>100.100.100.0 * 255.255.255.0 U 0 0 0 eth1</code><code>172.18.0.0 * 255.255.0.0 U 0 0 0 eth0The NAT table after applying the rules contains one PREROUTING and one POSTROUTING entry per service, as displayed by iptables -L -t nat.
Packet captures on the internal device confirm that both source and destination IPs have been rewritten to the 100.100.100.0/24 subnet, while captures on the external side still show the original 172.18.x.x addresses, demonstrating successful DNAT/SNAT.
Other Notes
Run iptables commands as root; otherwise they may fail.
Persist the rules with iptables-save > /etc/iptables.up.rules and restore them at boot via a script placed in /etc/network/if-pre-up.d/iptables (make it executable).
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.