Linux iptable static NAT
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
# Please make a note
# eth0 -- internet interface
# eth1 -- private interface
# PREROUTING statements for 1:1 NAT
# (Connections originating from the Internet)
iptables -t nat -A PREROUTING -d PUBLIC_IP -i eth0 -j DNAT --to-destination PRIVATE_IP
# POSTROUTING statements for 1:1 NAT
# (Connections originating from the home network servers)
iptables -t nat -A POSTROUTING -s PRIVATE_IP -o eth0 -j SNAT --to-source PUBLIC_IP
# POSTROUTING statements for Many:1 NAT
# (Connections originating from the entire home network)
iptables -t nat -A POSTROUTING -s PRIVATE_SUBNET/24 -j SNAT -o eth0 --to-source ETH0_IP
# Allow forwarding to each of the servers configured for 1:1 NAT
# (For connections originating from the Internet. Notice how you
# use the real IP addresses here)
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d PIP -m multiport --dports 80,443,22 \
-m state --state NEW -j ACCEPT
# Allow forwarding for all New and Established SNAT connections
# originating on the home network AND already established
# DNAT connections
iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow forwarding for all 1:1 NAT connections originating on
# the Internet that have already passed through the NEW forwarding
# statements above
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
ifconfig eth0 inet PUBLIC_IP
echo 1 > /proc/sys/net/ipv4/ip_forward
# Please make a note
# eth0 -- internet interface
# eth1 -- private interface
# PREROUTING statements for 1:1 NAT
# (Connections originating from the Internet)
iptables -t nat -A PREROUTING -d PUBLIC_IP -i eth0 -j DNAT --to-destination PRIVATE_IP
# POSTROUTING statements for 1:1 NAT
# (Connections originating from the home network servers)
iptables -t nat -A POSTROUTING -s PRIVATE_IP -o eth0 -j SNAT --to-source PUBLIC_IP
# POSTROUTING statements for Many:1 NAT
# (Connections originating from the entire home network)
iptables -t nat -A POSTROUTING -s PRIVATE_SUBNET/24 -j SNAT -o eth0 --to-source ETH0_IP
# Allow forwarding to each of the servers configured for 1:1 NAT
# (For connections originating from the Internet. Notice how you
# use the real IP addresses here)
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d PIP -m multiport --dports 80,443,22 \
-m state --state NEW -j ACCEPT
# Allow forwarding for all New and Established SNAT connections
# originating on the home network AND already established
# DNAT connections
iptables -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow forwarding for all 1:1 NAT connections originating on
# the Internet that have already passed through the NEW forwarding
# statements above
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
ifconfig eth0 inet PUBLIC_IP
Comments