Making NAT work with the default Red Hat iptables ruleset

Just a mental note.

October 26, 2012

Posted In: Firewall, IPTables, Linux, NAT

RHCE Series: Use iptables to implement packet filtering and configure network address translation (NAT): Part 2

In this second part, we’ll discuss how to set up a NAT in Linux, using iptables. As in the previous blog, here are the stats of my VM’s:

  • server1:
    • eth0: dhcp has access to the Internet
    • eth1: static address of, internal network.
    • Server1 acts as the firewall / NAT router
  • client1:
    • eth0: static address of
    • Client1 acts as a computer on an internal network.
  • client2:
    • eth0: static address of
    • Client2 acts as a computer on an internal network.

The first thing that we’ll need to do is allow the computer to forward traffic between interfaces.

Editing the /etc/sysctl.conf makes the setting persistent across reboots.

Since we made changes to iptables in the previous blog, I’ll again give myself a clean slate to work with.

I’ll verify that my client computers can ping the gateway, each other, but can not get to the internet.


Now, I’ll implement the NAT.


Now my client PC’s can get out to the Internet:


This only works with the single line:

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

because the default rule for the INPUT and FORWARD chains are to ACCEPT the traffic:


Otherwise, you would need a couple extra rules to allow the traffic.

Those rules would be:
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

October 16, 2012

Posted In: IPTables, Linux, RHCE Study Notes