Linux 101 : IP Tables and NAT - Network Address Translation -

We have the below scenario:

We start by setting up our internal interface "eth1", using the below command

To check our interface, we use the below address:

Our "external" interface "eth2" on our server is connected to the outside, and will get its IP address via DHCP - Internet provider -

To get its address through DHCP, we add the below line for "eth2" in the "/etc/network/interfaces" file:

To enable routing on our server, we will add some IP tables rules for our "eth2" interface as below:

  • "-t" : parameter indicates that we are using the "nat" table.
  • "-A" : parameter is used to append the rules at the end of our "POSTROUTING" IP tables chain.
  • "-o" : indicates the output interface.
  •  "-j" : is the executed action - MASQUERADE the IP address - if the packed matches our rule.
We would need to also enable some forwarding using the below command:

The "-m state" parameter specifies that the packet need to match the property "state" : from "eth2" to "eth1", the packets need to be related or part of an already established connection to be accepted and passed to the FORWARD chain.

Finally, any packet that comes in on "eth1" (LAN) and is heading out through "eth2" (Internet) is automatically accepted:


The FORWARD chain deals with traffic that is just going through our machine.
The POSTROUTING happens after the routing decision has has been done.


Leave as a comment: