Mastering SNAT and DNAT: When and How to Use NAT Rules in Linux

SNAT (Source Network Address Translation) and DNAT (Destination Network Address Translation) are key NAT techniques that enable communication between internal and external networks.

1. SNAT (Source NAT)

Definition: SNAT replaces the source IP address of outbound packets with a public IP address, allowing multiple internal devices to share one or more public IPs.

How it works: When an internal device sends a packet, the NAT device (router or firewall) rewrites the source IP to the configured public IP, so external hosts see a single IP.

Main uses:

Address sharing: Multiple internal devices share a public IP to access the Internet, conserving IP resources.

Load balancing: In load‑balancing scenarios, SNAT can replace internal server source IPs with the load balancer’s IP to distribute traffic.

Security: Hides internal IPs, enhancing security by preventing direct attacks.

Simplified network design: Provides flexibility and simplifies internal network configuration.

2. DNAT (Destination NAT)

Definition: DNAT replaces the destination IP address of inbound packets with an internal IP, allowing external users to reach specific internal services via a public IP.

How it works: When a packet arrives at the NAT device, it matches DNAT rules, rewrites the destination IP and port to the internal address, and forwards the packet.

Main uses:

Port mapping: Maps a public IP and port to a private IP and port for remote access or web hosting.

Load balancing: Distributes external traffic to multiple internal servers based on load‑balancing policies.

Security: Hides internal IPs and ports, adding a layer of protection.

3. Example Scenario

Assumptions

Internal network: 192.168.1.0/24

External network: Internet with public IP 1.2.3.4

Internal server IP: 192.168.1.100 (e.g., web service)

NAT device IP: internal 192.168.1.1, external 1.2.3.4

3.1 Add SNAT rule

# Add SNAT rule
# Change source address of packets from 192.168.1.0/24 to 1.2.3.4
# Assume outbound interface eth0
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 1.2.3.4

3.2 Add DNAT rule

# Add DNAT rule
# Change destination of packets destined to 1.2.3.4:80 to 192.168.1.100:80
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:80

Key iptables options explained: -t nat: Select the NAT table for address translation. -A PREROUTING: Append a rule to the PREROUTING chain, which processes incoming packets before routing. -d 1.2.3.4: Match packets whose destination IP is 1.2.3.4. -p tcp: Match only TCP protocol packets. --dport 80: Match packets destined for port 80. -j DNAT: Jump to DNAT target to rewrite destination address/port. --to-destination 192.168.1.100:80: Specify the new destination address and port.