Step-By-Step Configuration of NAT with iptables

Want to support HowtoForge? Become a subscriber!
Submitted by ganesh35 (Contact Author) (Forums) on Wed, 2006-11-08 19:53. :: Kernel | Linux

Step-By-Step Configuration of NAT with iptables

This tutorial shows how to set up network-address-translation (NAT) on a Linux system with iptables rules so that the system can act as a gateway and provide internet access to multiple hosts on a local network using a single public IP address. This is achieved by rewriting the source and/or destination addresses of IP packets as they pass through the NAT system. 


CPU - PII or more
OS - Any Linux distribution
Software - Iptables
Network Interface Cards: 2

Here is my considerations:

Replace xx.xx.xx.xx with your WAN IP

Replace yy.yy.yy.yy with your LAN IP

(i.e.,, as suggested by Mr. tzs)

WAN = eth0 with public IP xx.xx.xx.xx
LAN = eth1 with private IP yy.yy.yy.yy/


Step by Step Procedure

Step #1. Add 2 Network cards to the Linux box

Step #2. Verify the Network cards, Wether they installed properly or not

ls /etc/sysconfig/network-scripts/ifcfg-eth* | wc -l

    ( The output should be "2")

Step #3. Configure eth0 for Internet with a Public ( IP External network or Internet)

cat /etc/sysconfig/network-scripts/ifcfg-eth0

BROADCAST=xx.xx.xx.255    # Optional Entry
HWADDR=00:50:BA:88:72:D4    # Optional Entry
NETMASK=    # Provided by the ISP
NETWORK=xx.xx.xx.0       # Optional
GATEWAY=xx.xx.xx.1    # Provided by the ISP

Step #4. Configure eth1 for LAN with a Private IP (Internal private network)

cat /etc/sysconfig/network-scripts/ifcfg-eth1

HWADDR=00:50:8B:CF:9C:05    # Optional
NETMASK=        # Specify based on your requirement
IPADDR=        # Gateway of the LAN
NETWORK=        # Optional

Step #5. Host Configuration    (Optional)

cat /etc/hosts       nat localhost.localdomain   localhost

Step #6. Gateway Configuration

cat /etc/sysconfig/network

    GATEWAY=xx.xx.xx.1    # Internet Gateway, provided by the ISP

Step #7. DNS Configuration

cat /etc/resolv.conf

    nameserver      # Primary DNS Server provided by the ISP
    nameserver        # Secondary DNS Server provided by the ISP

Step #8. NAT configuration with IP Tables

    # Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated.

iptables --flush            # Flush all the rules in filter and nat tables

iptables --table nat --flush

iptables --delete-chain

# Delete all chains that are not in default filter and nat table

iptables --table nat --delete-chain

# Set up IP FORWARDing and Masquerading

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

iptables --append FORWARD --in-interface eth1 -j ACCEPT

# Enables packet forwarding by kernel 

echo 1 > /proc/sys/net/ipv4/ip_forward

 #Apply the configuration

service iptables restart

Step #9. Testing

 # Ping the Gateway of the network from client system


Try it on your client systems


 Configuring PCs on the network (Clients)

•    All PC's on the private office network should set their "gateway" to be the local private network IP address of the Linux gateway computer.
•    The DNS should be set to that of the ISP on the internet.
Windows '95, 2000, XP,  Configuration:

•    Select "Start" + Settings" + "Control Panel"
•    Select the "Network" icon
•    Select the tab "Configuration" and double click the component "TCP/IP" for the ethernet card. (NOT the TCP/IP -> Dial-Up Adapter)
•    Select the tabs:
o    "Gateway": Use the internal network IP address of the Linux box. (
o    "DNS Configuration": Use the IP addresses of the ISP Domain Name Servers. (Actual internet IP address)
o    "IP Address": The IP address (192.168.XXX.XXX - static) and netmask (typically for a small local office network) of the PC can also be set here.

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by XenServer 6.2 (not registered) on Mon, 2014-05-12 13:16.

Hi, I will give an relevant update for users that need it on XenServer 6.2 (newest at this time) so, I tried and tried and made it work :)

 1. for eg. OVH gaves you server with one NIC (eth1) so this is first problem if you aren't using your own server. The answer to this is creating new external network with VLAN (i used 1024) on ETH1 (NIC1) and give this new network an IP in your XenCenter (Networking), for me / 24 - why not :)

 2. go to console of the serwer and check your interfaces i have (I won't write all):

eth1 - external network (OVH - with my static IP) - will call it EXT1
xapi0 - external network for internal use (our network) - will call it INT1
xenbr1 - network bridge for vSwitch - all networks

 you can check all information via ifconfig command

3. system changes
a. Edit file /etc/sysctl.conf
nano /etc/sysctl.conf

b. Uncomment the following line to enable packet forwarding for IPv4 and other stuff

net.ipv4.ip_forward = 1
net.ipv4.conf.default.proxy_arp = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.xenbr0.send_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
kernel.sysrq = 1
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
vm.dirty_ratio = 5
kernel.printk = 4 4 1 4

4. creating NAT

$IPTABLES -I RH-Firewall-1-INPUT -s $INT1/24 -j ACCEPT

PS. i made a bash script and added it to my starting scripts or you can use add it to /etc/sysconfig/iptables

5. testing

from my VM - ping - OK

VM cofig:
IP - (static)
gateway -
nameserver -

I could use command lokkit but in my case there is no MASQUERADE there, that ISP makes it hard as allways !!!

I hope it hepled someone more :)

Submitted by Praveen (not registered) on Mon, 2014-03-24 13:22.
its not working for me i am tryed in DSL Linux server internet where shared from server to client but rules is not working what can i do ? how to block ? my client xp machine where bypassed ...:(
Submitted by Abid (not registered) on Sun, 2012-09-02 03:53.
Complete steps at the following link
Submitted by S.Babu (not registered) on Wed, 2012-04-11 05:34.
 Dear Sir, its working excellent thank you very much   
Submitted by Anonymous (not registered) on Mon, 2011-11-14 09:23.
My server is loged in with root but msg showing no root folder/directory found. it is login with home .. why its hapen??? any one help me.. and how to masquerade to other internet user with that firewall..??? I m not a linux engineer but i have responsibilty to solve that.... please help me..
Submitted by dAb (not registered) on Wed, 2010-05-12 14:30.
Howto FAIL.
Submitted by abhandari (not registered) on Tue, 2009-11-10 12:16.

Please be clear before you post anything?

Submitted by Tim Martin (not registered) on Wed, 2009-03-18 05:23.
Step 8 is completely useless--don't try this at home kids...or at work for that matter.  

"iptables --table nat --flush"
This will remove all chains from your current running netfilter table (firewall rules) just dropped your pants.

"iptables --delete-chain"
This will remove all chains from your current running nat table

"iptables --delete-chain"
No need to do this after a flush!  There are no chains in your current running netfilter table because you already flushed it.

"iptables --table nat --delete-chain"
No need to do this after a flush!  There are no chains in your current running nat table because you already flushed it.

"iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE"
This will enable nat in your current running nat table until we get down to the restart below.

"iptables --append FORWARD --in-interface eth1 -j ACCEPT"
This is useless because forwarding is accepted because you flushed your netfilter table

"echo 1 > /proc/sys/net/ipv4/ip_forward"
This will turn on routing.  To bad next time you boot, it will not be enabled.  Use sysctl!!!!

"service iptables restart"
I love this one.  This command will un-do every "iptable" command above.  Now NAT is no longer running.  When the iptables service is restarted, it reads the saved config and anything was in "current running" is gone.  Instead, use iptables-save!

Congratulations, you have a router with no NAT.  But don't worry, it will no longer be a router after you reboot it.  It will go back to the way it was before you started...thankfully

Tim Martin, RHCE 
Submitted by psperez (not registered) on Sat, 2012-07-21 16:53.

I'd like to discuss some configuration instructions that I can't get working.  You seem to have a handle on this tech.

 Please email me, rather not post configs here on this site.

Submitted by sharms (not registered) on Wed, 2009-02-04 21:03.
It should be noted that /etc/sysconfig exists on SuSE / Novell systems, if you are a Ubuntu server user this will not exist.  The equivalent file is /etc/network/interfaces, but the syntax differs.
Submitted by Anonymous (not registered) on Thu, 2008-11-20 17:42.
Worst howto ever?
Submitted by Sharib (not registered) on Wed, 2010-11-10 07:43.

Hi All,

I tried and it is working fine till Step 7..

After that you can follow

The MASQUERADE steps explained over here works fine till the system is not restarted.

Best Regards,

Sharib Tasneem

SAP BASIS Consultant

Submitted by mynamewastaken (registered user) on Sun, 2007-02-04 03:52.

(i.e.,, as suggested by Mr. tzs)

 Unless you are doing some subnetting here, I would suggest keeping those internal addresses at their defaults which are:, ie mask for a class c address. mask for class b for class a

Submitted by tzs (registered user) on Fri, 2006-11-10 03:04.

1. The example is using for private IP addresses. This is bad. That block is real live addresses, allocated to ISPs in Latin America and the Carribean. Private IP addresses should be choosen from one of the following blocks:

 2. The example uses as the address of the gateway on the LAN in step #4, but pings it at in step #9.

Submitted by mou5e (not registered) on Thu, 2010-12-02 10:07.

Are you sure what are you talking about?

 It is called NAT because the inside addresses are Translated into the outside address.

For example my home inside NAT is

Submitted by Anonymous (not registered) on Mon, 2010-12-20 00:40.
Either you bought the adress space or your inside NAT addressing is bad, because any connection attempt to or similar in that network will never leave your home network, even though this may be real public adress used somewhere out there in the Internet. Always use private adresses inside the NATed network!
Submitted by Anonymous (not registered) on Sun, 2011-02-27 00:21.

Yeah I use what could possible go wrong:P



I am sure that won't be a problem

Submitted by Anonymous (not registered) on Sun, 2011-03-06 15:02.
I would suggest
Submitted by rishi (not registered) on Tue, 2011-05-10 19:03.
Submitted by Anonymous (not registered) on Sun, 2011-09-04 00:19.
buddy, you copied parts of this inept article and posted it on your blog???
Submitted by IRFroggy (not registered) on Wed, 2011-10-12 10:48.
Then linux users want to know why companies are still running Microsoft. This how to will make me run back.