• Lucas
• March 21, 2024

There are several NAT variations that can be configured with IPTABLES. This article aims to show some examples of SNAT, DNAT with iptables.

Mask all outgoing packets as IP WLAN0

iptables -t nat -A PREROUTING -s 192.168.1.2 -i eth0 -j MASQUERADE

All packets leaving eth0 will have the IP address src eth0

iptables -t nat -A POSTROUTING -o eth0 -j SNAT –to 192.168.1.1

Matching rule specifying a source port

Below, make sure that the packets from the Eth devices have the correct source IP address. Warning: when specifying a port, the protocol must also be specified.

iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.2 -p udp –dport 16020 -j SNAT –to 10.1.1.7:51889

iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.2 -p tcp –dport 21 -j SNAT –to 10.1.1.7:21

iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.1.3 -j SNAT –to 10.1.1.9

iptables -t nat -A PREROUTING -i wlan0 -d 10.1.1.7 -j DNAT –to-destination 192.168.1.2 iptables -t nat -A PREROUTING -i wlan0 -d 10.1.1.9 -j DNAT –to-destination 192.168.1.3

Packets destined for IP 10.1.1.7 will be forwarded to 192.168.1.2 UDP,TCP

Does NOT work correctly with ping (ICMP), does not support IP WLAN response of the ICMP protocol in a ping without

iptables -t nat -A PREROUTING -p tcp -i wlan0 -d 10.1.1.7 -j DNAT –to-destination 192.168.1.2 iptables -t nat -A PREROUTING -p udp -i wlan0 -d 10.1.1.7 -j DNAT –to-destination 192.168.1.2

Change the SNMP port of outgoing SNMP messages

iptables -t nat -A OUTPUT -p udp –dport 162 -j DNAT –to-destination 192.168.1.33:1162

Add secondary IP to WLAN0

ip addr add 10.1.1.7/24 dev wlan0 ip addr add 10.1.1.9/24 dev wlan0

List all IP addresses assigned to wlan0

ip add list dev wlan0

All packets leaving eth1 will change the source IP to 192.168.20.1

iptables -t nat -A POSTROUTING -o eth1 -j SNAT –to 192.168.20.1

All TCP packets leaving eth1 on port 443 will change the source IP to 192.168.20.1

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p tcp –dport 443 -j SNAT –to 192.168.20.1:443

All ICMP packets leaving eth1 will change the source IP to 192.168.20.1

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p icmp -j SNAT –to 192.168.20.1

All supported packets leaving eth1 that have a source IP of 192.168.1.22 will change their source IP to 192.168.20.1

iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.22 -p all -j SNAT –to 192.168.20.1

SNAT in the dynamic assignment interface

use with dual WIFI mode, where WiFi can be AP and STA at the same time, added to the startup script

assuming wlan1 is STA interface ip=$(ip -o addr show up primary global scope wlan1 | while read -r num dev fam addr rest; do echo ${addr%/*}; done) echo $ip # all packets leaving wlan1 will change the source IP to the STA interface IP iptables -t nat -A POSTROUTING -o wlan1 -j SNAT –to $ip

Block traffic from ETH0 to Cell, except NTP

The order is important because DROP will end after allowing communication with the NTP server. That’s why we need to INSERT the rules. If APPEND is used, the order of the commands must be reversed to ensure that DROP comes last.

iptables -I FORWARD -i eth0 -o usb0 -j DROP iptables -I FORWARD -d pool.ntp.org -i eth0 -o usb0 -j ACCEPT

Block traffic on ETH1 based on ports

Useful when you have a device behind the router and want to limit its ability to use/exploit resources on the router.

Use with caution, as you may block yourself.

Blocks port 80 (http) only on the ETH1 interface

iptables -t filter -A INPUT -i eth1 -p tcp –dport 80 -j DROP

Blocks port 443 (https) only on the ETH1 interface

iptables -t filter -A INPUT -i eth1 -p tcp –dport 80 -j DROP

Blocks port 22 (ssh) on the ETH1 interface only

iptables -t filter-A INPUT -i eth1 -p tcp –dport 22 -j DROP

Blocks ping (icmp) on the interface unit. ETH1 does not respond to ping

iptables -t filter -A INPUT -i eth1 -p icmp -j DROP

Checking the NAT table

The iptables table must be specified for listing. FOR EXAMPLE. nat, mangle.

iptables -t nat -L -n -v