Mastering SNAT and DNAT: How to Configure Source and Destination NAT with iptables

SNAT (Source Network Address Translation) and DNAT (Destination Network Address Translation) are two key NAT techniques that enable communication between internal and external networks.

1. SNAT (Source NAT)

Definition: SNAT replaces the source IP address of packets leaving an internal network with a public IP address, allowing multiple internal devices to share one or more public IPs.

How it works: When an internal device sends a packet to the external network, a NAT device (router or firewall) rewrites the packet’s source IP to the configured public IP, so external hosts see all traffic as coming from that public IP.

Main uses:

Address sharing: Multiple internal devices share a public IP to access the Internet, conserving public IP resources.

Load balancing: SNAT can replace internal server source IPs with the load balancer’s IP to distribute traffic.

Security: Hides internal IP addresses, enhancing security against direct attacks.

Simplified network configuration: Provides flexibility and simplifies internal network design.

2. DNAT (Destination NAT)

Definition: DNAT replaces the destination IP address of packets arriving from the external network with an internal IP address, enabling external devices to reach specific internal services.

How it works: When a packet reaches the NAT device, it checks the destination IP and port, then rewrites them to the configured internal IP and port before forwarding the packet to the target internal device.

Main uses:

Port mapping: Maps a public IP and port to a private IP and port for remote access or web hosting.

Load balancing: Distributes incoming traffic to multiple internal servers based on load‑balancing rules.

Security: Hides internal IP addresses and ports, improving security.

3. Scenario Example

Assumptions

Internal network: 192.168.1.0/24

External network: Internet with public IP 1.2.3.4

Internal server IP: 192.168.1.100 (provides a web service)

NAT device IP: internal 192.168.1.1, external 1.2.3.4

3.1 Add SNAT rule

To allow outbound traffic from the internal network, replace the source address of packets from 192.168.1.0/24 with the public IP 1.2.3.4.

# Add SNAT rule
# Change source address of packets from 192.168.1.0/24 to 1.2.3.4
# Assume outbound interface is eth0
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 1.2.3.4

3.2 Add DNAT rule

To forward incoming traffic on port 80 of the public IP to the internal server:

# Add DNAT rule
# Change destination address of packets destined for 1.2.3.4:80 to 192.168.1.100:80
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:80

Explanation of key iptables options:

-t nat

: Operate on the NAT table, which handles address translation.

-A PREROUTING

: Append a rule to the PREROUTING chain, processing packets before routing decisions.

-d 1.2.3.4

: Match packets whose destination IP is 1.2.3.4.

-p tcp

: Match only TCP packets.

--dport 80

: Match packets destined for port 80.

-j DNAT

: Perform destination NAT on matching packets.

--to-destination 192.168.1.100:80

: Translate the destination to the internal server IP and port.