So far, we discussed general NAT principles, NAT types, and what every sort of NAT does.
netfilter/iptables can be used to perform NAT in any of the ways that we discussed. Actually, there are many things that you can do with iptables in this area and we will try to cover as much as possible in this article. Before we get there, let's see what we need to be able to successfully perform NAT on Linux.

Setting Up the Kernel

Usually, every Linux distribution comes with a kernel compiled with netfilter support, iptables tool, and all the modules needed for performing Network Address Translation.
A very good HowTo on compiling Linux 2.4 and 2.6 kernels is written by Kwan Lowe and can be found at http://www.digitalhermit.com/linux/Kernel-Build-HOWTO.html
When compiling a new kernel or recompiling the kernel that you have, you must set NETFILTER=y in order to use iptables. In the 2.6 kernels, this option is usually found under Device Drivers | Networking support | Networking support (NET [=y]) | Networking options, but it really depends on the kernel version.
For example, in kernel 2.6.14, this option is found under Networking | Networking Options.
If you use make menuconfig or make xconfig to configure your kernel for recompiling, select Networking | Networking options | Network packet filtering (replaces ipchains) | IP: Netfilter Configuration.
In the IP: Netfilter Configuration section you will find the options needed for NAT as follows:
IP_NF_CONNTRACK or Connection tracking (required for masq/NAT) keeps a record of the IP packets that passed through the machine in order to pass them correctly to the NATed endpoints when requests made from those are answered. This is vital for NAT. If you say No here, you will not be able to perform NAT.

The netfilter nat Table

The nat table contains three chains—PREROUTING, POSTROUTING, and OUTPUT. Each chain may contain rules that are examined sequentially until one of the rules matches a packet, the same as for the chains in the netfilter table. These chains can be viewed by issuing the command iptables –t nat –L.
the modules iptable_nat and ip_conntrack when issuing any commands with iptables –t nat; so there is no need to use Linux utilities insmod or modprobe for NAT to work.
The OUTPUT chain is not fully supported, so we will have to ignore that for now.
The PREROUTING and POSTROUTING chains have meaningful names. The PREROUTING chain is analyzed by the kernel before any routing decision is made. Therefore, what we should do in the PREROUTING chain is to change the address of the destination IP and then leave it to the routing process to find the destination that we just changed (DNAT).
The POSTROUTING chain contains rules that the kernel analyzes after a routing decision is made. This means that we have a path to the destination, and so we can change the source IP address if that path is outside our network (SNAT).

SNAT with iptables

SNAT is one of the most commonly used types of NAT with iptables because of the topology used.
Let's see, for example, the following scenario:
Network 192.168.1.0/24 is in our office. We have an Ethernet connection from our provider, which assigned us the IP address 1.2.3.1/30 and the default gateway 1.2.3.2.
All the computers in the 192.168.1.0/24 network have the default gateway set to 192.168.1.1.
Our Linux router has two Ethernet interfaces:

• Eth0, with the IP address 192.168.1.1 and netmask 255.255.255.0, is connected to a switch that connects other devices in the 192.168.1.0/24 network.
• Eth1, with the IP address 1.2.3.1 and netmask 255.255.255.252, is connected to the provider's CPE (Customer Premises Equipment), which can be a DSL modem, cable modem, media converter, etc.

We can set up SNAT so that all devices in the 192.168.1.0/24 network access the Internet with only one rule:

This command has the same effect as the following command, which we would use if the IP address of Eth1 were dynamically assigned, or if we used a dial-up modem instead of an Ethernet card:

Let's say our provider filters out all ports higher than 1024. In this case, we will need to change the source port as well, and not only the source IP address. This can be done by:

The laptop user seen in the previous figure is an IRC fan and he gives us a call saying he can't connect to any IRC networks. This means that the ip_conntrack module needs a little help, and we can give it to him by inserting the ip_conntrack_irc module in the kernel. Also, we might want to let users make successful FTP connections, and so we want to add the ip_conntrack_ftp module as well.

After a few weeks, the laptop user has convinced other users in the 192.168.1.0/24 network of how wonderful the IRC is; so we have about 20-30 users connecting to the same IRC network. Now, they have started to complain about how difficult it is to get connected on the IRC network, because the IRC network only allows a few connections from the same IP address. We figure that 32 IP addresses are enough for them, so we call the provider to assign us a /27 public IP subnet. For a few dollars extra, they assign us 1.2.4.0/27. We have to change the initial rule to:

They stop complaining, but we realize that we don't use the public IP address of our Linux router for NAT anymore. Let's add that too; so we give them an extra IP address:

One of our users gets into an argument on IRC, and gets flooded while SNAT mapps his IP address to 1.2.4.15. Our provider's flood-detection system automatically filters that IP address and sends us an email informing us about it. We need to stop SNAT to map any internal addresses to that IP address, so we do the following:

iptables –t nat –A POSTROUTING –s 192.168.1.0/24 –j SNAT –-to 1.2.4.0-1.2.4.14 –-to 1.2.4.16-1.2.4.32 –-to 1.2.3.1

One guy from accounting with the IP address 192.168.1.19 complains that he can't access any computers with IP addresses over 192.168.1.32. It is possible that he has changed his netmask to 255.255.255.227, and so all IP packets from his computer to computers in 192.168.1.0/24 that are not in 192.168.1.0/27 pass through the Linux router and get SNATed. To solve this problem, we have two alternatives.
The first would be not to SNAT 192.168.1.0/24 when the destination is another computer in 192.168.1.0/24:

The second choice we have is to SNAT only the packets that go out on Eth1:

Our provider connected another location of our company to the same equipment, and since we are in the same VLAN, we don't have to build a tunnel between the routers at each location, but just route the networks through the Linux router at that location. On the other site, we have the network 192.168.2.0/24. We need to let computers in our network access computers in the 192.168.2.0/24 network without SNATing them:

This command will insert the rule before the NAT rule; so if any packet from 192.168.1.0/24 is destined to any IP in the 192.168.2.0/24 network, this rule will match and the chain will not be analyzed further, so SNAT will not take place.
Jane, our secretary, is famous for her good coffee, but since she got the IRC fever, she's not doing anything anymore. The manager is angry about this but she doesn't want to fire Jane because she's addicted to her famous coffee; so she comes to ask us to do something about it. There are many things we can do in this matter, for instance drop packets from Jane (192.168.1.31) when trying to access ports 6666 to 6669 in the POSTROUTING chain:

We might want to ask the manager what Jane is allowed to do. For instance, if the manager wants to allow Jane only web access, we can do the following:

This rule will not SNAT Jane's IP address when trying to access something other than port 80 TCP, but it will SNAT her IP address when accessing any UDP services because UDP packets will not match this rule; so she will be able to access any DNS server outside our network.

DNAT with iptables

We will continue with the previous scenario for DNAT as well. One day, the manager calls us telling she needs to access her computer from home. Of course she can't do that because of her private IP address 192.168.1.50. We decide to allocate one of the public IP addresses that we have for her office computer, but if we were to create an alias on Eth0 for that, we would not only lose some IP addresses, but she also won't be in the same network as the others. The best solution is to map a public IP address (let's say 1.2.4.1) to her office computer's private IP address (192.168.1.50). This is, of course, DNAT:

So the next thing to do is to call her and tell him that whenever she tries to connect to her office computer from home, she must connect to 1.2.4.1.
Our intranet server has the IP address 192.168.1.100. One guy from the financial department has a broadband connection and asks us if he can access the intranet server from home. He gives us his public IP address as 1.2.5.17. We tell him that from his home he should try the IP address 1.2.4.2 in his web browser, and we execute:

We think we might want to SSH to the intranet server from anywhere. It would not be a very wise idea to map one IP address to the intranet server as it is vital for our company, and if an SSH bug is discovered, we don't want that server to be hacked. A good idea would be to map a high-number port to the SSH port on the intranet server (this is PAT or NAPT).

This way, when we are not at the office and we want to SSH into the intranet server, we open an SSH connection to 1.2.4.2 port 65521.
After a while, suppose we installed a web server with the IP address 192.168.1.200. The web server is www.mycompany.whatever and points in DNS to 1.2.4.5. To be accessible to the outside world, we perform the following:

Transparent Proxy

Transparent proxy is a way to force users to use a proxy server, even if their browsers are configured not to. You probably know about the benefits of using a proxy server bandwidth saving for cached pages and access control implementation (e.g. deny downloads of files that have dangerous extensions).
We can perform transparent proxy for all or some users to prevent them from bypassing the proxy whenever they want. This is especially good for children's computers to deny them access to sexually explicit sites, for example.
On our Linux router, we installed a Squid proxy server to cache some content from the Web. Also, we want to deny access to sex sites or malicious downloads for users. The users are not very pleased about using our proxy server, and they usually remove it from their browser configuration. We can force them to use the proxy server anyway. If the proxy server listens on port 3128 we will do the following:

If we want to allow the manager (who has the IP address 192.168.1.50) to bypass the proxy server, we do so like this:

So this rule will be matched in the PREROUTING chain, and she will be SNATed in the POSTROUTING chain.