Understanding SNAT and DNAT: Definitions, How They Work, and Practical iptables Examples
This article explains the concepts of Source NAT (SNAT) and Destination NAT (DNAT), their mechanisms, primary use cases such as address sharing, load balancing, and security, and provides step‑by‑step iptables commands for implementing these rules in typical network scenarios.
SNAT (Source Network Address Translation) replaces the source IP address of outbound packets from an internal network with a public IP address, enabling multiple internal devices to share one or more public IPs for Internet access.
How SNAT Works
When an internal device sends a packet to the external network, a NAT device (router or firewall) intercepts the packet and substitutes its source IP with the configured public IP, so external recipients see traffic coming from a single public address.
Key SNAT Use Cases
Address Sharing : Multiple internal hosts use a single public IP, conserving public address space.
Load Balancing : Replace internal server source IPs with the load balancer’s IP to distribute traffic.
Security : Hide internal IPs from external attackers.
Simplified Network Design : Provides flexibility in address planning and reduces configuration complexity.
DNAT (Destination Network Address Translation)
DNAT changes the destination IP address of inbound packets from the external network to an internal IP, allowing external users to reach specific internal services via a public IP.
How DNAT Works
When a packet arrives at the NAT device, it checks the destination IP and port, then rewrites them to the configured internal IP and port before forwarding the packet to the target host.
Key DNAT Use Cases
Port Mapping : Map a public IP and port (e.g., 1.2.3.4:80) to an internal server’s IP and port for remote access or web hosting.
Load Balancing : Distribute incoming traffic across multiple internal servers based on load‑balancing policies.
Security : Conceal internal IP addresses and ports, enhancing network security.
Practical Scenario Example
Assume an internal network 192.168.1.0/24, a public IP 1.2.3.4, an internal server 192.168.1.100 offering a web service, and a NAT device with internal IP 192.168.1.1 and external IP 1.2.3.4.
3.1 Adding an SNAT Rule
# Add SNAT rule
# Change source address of packets from 192.168.1.0/24 to 1.2.3.4
# Assume outbound interface is eth0
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 1.2.3.43.2 Adding a DNAT Rule
# Add DNAT rule
# Redirect traffic destined for 1.2.3.4:80 to internal server 192.168.1.100:80
iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:80These iptables commands illustrate how to configure SNAT for outbound traffic and DNAT for inbound traffic, enabling proper communication between internal and external networks.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.