CTS 2333 (Unix/Linux Networking) — NAT Description

In Linux IP masquerading (also known as NAT, SNAT, or PAT) is done by the firewall kernel modules (iptables).  The original change (for outgoing packets that must be masqueraded) occurs after the routing decision, while the reverse change (for arriving packets with the routerís destination IP address) occurs before the routing decision.  Consider the following diagram:

[network diagram: host-routerA-Internet-routerB-server]

Without NAT, the request packet from the host will have source, destination addresses of 10.1.1.2, 169.139.223.254.  When (and if!) the web server sees this packet and replies, it will use destination address of 10.1.1.2.  But router B wonít know what to do with that packet!  If it forwards it at all (doubtful since this is a private IP address) this reply packet will go to the wrong place.

With NAT, Router A will transform the source address to 211.3.7.61 as the packet goes to the Internet.  Router B will have no trouble with the reply to that address.  When Router A receives the server's reply packet from the Internet, it will transform the destination address back to 10.1.1.2.

In the iptables command below remember to specify the interface to the outside world, not the one to your private network!  (In the diagram above, for Router A, eth0 is the interface with IP address of 211.3.7.61.)

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# echo 1 > /proc/sys/net/ipv4/ip_forward

# cat /proc/net/ip_conntrack   # list connections