Udemy logo

linux natNAT is rewriting a packet’s source and destination address as it passed through a router or firewall. There are many reasons why an administrator might want to rewrite an IP packet’s source or destination address. The most common reason by far is to access the internet using a private IP address.

Learn more about IP addressing with a class at Udemy.com.

Today, practically all private businesses and home networks use private IP addresses. There is no need to use real IP addresses except on the Internet-facing external WAN. Sometimes, an administrator may use private addressing within a DMZ for web servers and other semi-private resources purely for performance.

So why can’t these private-addresses work on the Internet?

These internal IP addresses are not unique. Private address blocks were IANA’s (International Assigning Number Authority) tactic to slow down the depletion and possible exhaustion of the IPv4 address range. By handing out these private address blocks for use within private networks, then real IP addresses could be preserved for when they were required on the Internet.

The private address blocks IANA made available for administrators to freely use in their networks are:

Administrators were free to use these addresses at will and subnet to their hearts desire, because no one else would see these addresses outside of the network boundaries. These addresses were once perfectly legitimate addresses. What happened is that (by assigning them for public use) they were no longer unique. Hundreds if not millions of small networks were using the same IP address range. Private addresses on the Internet are designated by IANA. All gateway routers are configured by default to filter them out on the egress interfaces. If any private addressed packets do escape into the wild, they are dropped at the next hop router anyway.

NAT is a solution to this problem, because NAT facilitates a way for private addressed hosts to access the Internet. NAT, by rewriting the source address with a “real” IP address, which it cleverly borrows from the external WAN interface, ensures the packets are now compliant and able to traverse the Internet.

Learn more about Linux and NAT with a course from Udemy.com.

NAT in Practice

In the following scenario, there is a small private network that has three computers: one is a Linux server, which will be configured as a router to allow all three machines to share the one ADSL internet connection.

Host Name IP Address Gateway
Linux01 Ethernet 0 = (DHCP server)Ethernet 1 = 0/0/0/0203.53.122.66
Windows-01 (DHCP client)
Windows-02 (DHCP client)


Step 1 – When configuring NAT on a Linux box, the administrator should ensure that some prerequisites are already configured or at least installed on the Linux distribution. These are iptables and the packet filter framework called Netfilter. With Netfilter installed and two or more network interfaces, the administrator can configure the Linux box using the command set iptables to act like a router and perform NAT.

# IMPORTANT: Activate IP-forwarding in the kernel!
# Disabled by default!
$> echo "1" > /proc/sys/net/ipv4/ip_forward
# Load various modules. Usually they are already loaded 
# (especially for newer kernels), in that case 
# the following commands are not needed.
# Load iptables module:
$> modprobe ip_tables
# activate connection tracking
# (connection's status are taken into account)
$> modprobe ip_conntrack
# Special features for IRC:
$> modprobe ip_conntrack_irc
# Special features for FTP:
$> modprobe ip_conntrack_ftp

Now the iptables module is loaded and configured to forward IP packets.

The next step is to configure iptables rules to rewrite incoming IP packets source address with the external IP address of the internet interface.

Step 2 – # Connect a LAN to the internet   $> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


The syntax here is as follows

Step 3 –

The other local Windows clients point to the Linux box’s internal Ethernet interface as the default gateway via DHCP.

Packets with a source address in the (192.16.1.x) range arriving from the other network hosts on the internal interface (Ethernet 0) will be routed out the (Ethernet 1) to the Internet with a source address of

All that remains is to check the configuration by browsing the internet from the Windows clients.

Other NAT Actions

The scenario above is a very common reason for implementing NAT within a network. In this case, the Linux router rewrote the source address of the packets leaving the network with the public IP address of the external interface Eth-1.

However there are other options available:

# In the following the table selection, the command and the match pattern
    # will be abbreviated using [...]
    # Source-NAT: Change sender to
    $> iptables [...] -j SNAT --to-source
    # Mask: Change sender to outgoing network interface
    $> iptables [...] -j MASQUERADE
    # Destination-NAT: Change receipient to, port 22
    $> iptables [...] -j DNAT --to-destination
    # Redirect to local port 8080
    $> iptables [...] -j REDIRECT --to-ports 8080


The Options above are:

Learn more about NAT, Linux and networking at Udemy.com.


Page Last Updated: April 2014

Top courses in Linux

Linux Technical Interview Questions and Answers
Kashif Ali, Imran Afzal
4.6 (1,387)
Linux Administration: The Complete Linux Bootcamp for 2024
Andrei Dumitrescu, Crystal Mind Academy
4.7 (3,316)
Mastering Linux: The Comprehensive Guide
Jannis Seemann, Denis Panjuta
4.7 (913)
Linux Inter Process Communication (IPC) from Scratch in C
Abhishek CSEPracticals, Shiwani Nigam, Ekta Ekta
4.4 (1,124)
Linux Performance Monitoring & Analysis - Hands On !!
Shikhar Verma • 85k+ Students Worldwide
4.3 (1,056)
Linux for Beginners
Jason Cannon
4.5 (15,856)

More Linux Courses

Linux students also learn

Empower your team. Lead the industry.

Get a subscription to a library of online courses and digital learning tools for your organization with Udemy Business.

Request a demo