5.5. Destination NAT with netfilter (DNAT)

Destination NAT with netfilter is commonly used to publish a service from an internal RFC 1918 network to a publicly accessible IP. To enable DNAT, at least one iptables command is required. The connection tracking mechanism of netfilter will ensure that subsequent packets exchanged in either direction (which can be identified as part of the existing DNAT connection) are also transformed.

In a devilishly subtle difference, netfilter DNAT does not cause the kernel to answer ARP requests for the NAT IP, where iproute2 NAT automatically begins answering ARP requests for the NAT IP.

Example 5.5. Using DNAT for all protocols (and ports) on one IP

[root@real-server]# iptables -t nat -A PREROUTING -d -j DNAT --to-destination

In this example, all packets arriving on the router with a destination of will depart from the router with a destination of

Example 5.6. Using DNAT for a single port

[root@real-server]# iptables -t nat -A PREROUTING -p tcp -d --dport 80 -j DNAT --to-destination

Full network address translation, as performed with iproute2 can be simulated with both netfilter SNAT and DNAT, with the potential benefit (and attendent resource consumption) of connection tracking.

Example 5.7. Simulating full NAT with SNAT and DNAT

[root@real-server]# iptables -t nat -A PREROUTING -d -j DNAT --to-destination
[root@real-server]# iptables -t nat -A POSTROUTING -s -j SNAT --to-destination

5.5.1. Port Address Translation with DNAT