Mastering SNAT and DNAT: How to Translate Network Addresses with iptables

SNAT (Source Network Address Translation) and DNAT (Destination Network Address Translation) are two essential techniques in NAT that enable communication between internal and external networks.

SNAT (Source Network Address Translation)

Definition: SNAT replaces the source IP address of packets leaving an internal network with a public IP address, allowing multiple internal devices to share one or more public IPs when accessing external networks.

How It Works: When an internal device sends a packet to the outside, the NAT device (router or firewall) rewrites the packet's source IP to the configured public IP, so external hosts see all traffic as coming from that public address.

Main Uses:

Address Sharing: Enables multiple internal devices to share public IPs, conserving address resources.

Load Balancing: In load‑balancing scenarios, SNAT can replace internal server source IPs with the load balancer's IP to distribute traffic.

Security: Hides internal IP addresses, enhancing security by preventing direct attacks on internal devices.

Simplified Network Configuration: Provides flexibility and simplifies internal network design and address planning.

DNAT (Destination Network Address Translation)

Definition: DNAT replaces the destination IP address of packets arriving from an external network with an internal IP address, allowing external hosts to reach specific internal services via a public IP.

How It Works: When a packet reaches the NAT device, it checks the destination IP and port, then rewrites them to the configured internal IP and port before forwarding the packet to the target internal device.

Main Uses:

Port Mapping: Maps a public IP and port to a private IP and port, enabling remote access and hosting services.

Load Balancing: Distributes incoming traffic to multiple internal servers based on load‑balancing policies.

Security: Hides internal IP addresses and ports, adding a layer of protection.

Scenario Example

Assumptions

Internal network: 192.168.1.0/24

External network: Internet, public IP 1.2.3.4 (provided by ISP)

Internal server IP: 192.168.1.100 (provides a web service)

NAT/Firewall IP: internal 192.168.1.1, external 1.2.3.4

3.1 Add SNAT Rule

<code># Add SNAT rule
# Change source address of packets from 192.168.1.0/24 to 1.2.3.4
# Assume outbound interface is eth0 (replace as needed)
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 1.2.3.4</code>

3.2 Add DNAT Rule

<code># Add DNAT rule
# Change destination address of packets destined for 1.2.3.4:80 to 192.168.1.100:80
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:80</code>

-t nat : Specifies the NAT table, which handles address translation.

-A PREROUTING : Adds a rule to the PREROUTING chain, processing packets before routing decisions.

-d 1.2.3.4 : Matches packets whose destination IP is 1.2.3.4.

-p tcp : Matches only TCP protocol packets.

--dport 80 : Matches packets destined for port 80.

-j DNAT : Specifies that matching packets should undergo destination NAT.

--to-destination 192.168.1.100:80 : Sets the new destination IP and port for the matched packets.