Kernel Requirements

Needs kernel modules (or compiled support) for:

  • iptable_nat

  • ip_conntrack

  • ipt_REJECT

  • iptable_filter

  • ip_tables

Port Forwarding

In theory you could have NAT without port forwarding, but there’s little point meaning you’ll probably want to activate your kernel to do forwarding:

echo "1" > /proc/sys/net/ipv4/ip_forward

A permanent home for this might be in /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Show NAT Rules

List NAT rules in iptables:

iptables -t nat -L

I don’t know why iptables -L doesn’t include NAT rules, but it doesn’t.

IPTables NAT Rules

Here’s an example of the nat part of a "/etc/sysconfig/iptables":

-A POSTROUTING -s 172.22.0.0/16 -o eth0 -j SNAT --to-source 137.110.222.250
-A POSTROUTING -s 172.19.222.0/24 -o eth0 -j SNAT --to-source 137.110.222.250

IPTables MASQUERADE

In addition to SNAT there is also a MASQUERADE target that is very similar. (Consult this fine resource for details.)

Here is an example from a cluster head node where eth0 is the external network.

/etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [45:9785]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [11:848]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [676:80000]
:FORWARD ACCEPT [2:152]
:OUTPUT ACCEPT [370:45852]
COMMIT