CTS 2333 (Unix/Linux Networking) — NAT Description

In Linux IP masquerading (also known as NAT, SNAT, or PAT) is done by the firewall kernel modules (iptables).  The original change (for outgoing packets that must be masqueraded) occurs after the routing decision, while the reverse change (for arriving packets with the routerís destination IP address) occurs before the routing decision.  Consider the following diagram:

[network diagram: host-routerA-Internet-routerB-server]

Without NAT, the request packet from the host will have source, destination addresses of,  When (and if!) the web server sees this packet and replies, it will use destination address of  But router B wonít know what to do with that packet!  If it forwards it at all (doubtful since this is a private IP address) this reply packet will go to the wrong place.

With NAT, Router A will transform the source address to as the packet goes to the Internet.  Router B will have no trouble with the reply to that address.  When Router A receives the server's reply packet from the Internet, it will transform the destination address back to

In the iptables command below remember to specify the interface to the outside world, not the one to your private network!  (In the diagram above, for Router A, eth0 is the interface with IP address of

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# echo 1 > /proc/sys/net/ipv4/ip_forward

# cat /proc/net/ip_conntrack   # list connections