Although I don’t consider IPTABLES to be terribly complex I was asked over the weekend if IPTABLES could perform NAT services and put together this little how-to as a guide.  IPTABLES, which is a popular Linux kernel routing package and firewall solution, can very simply be configured to allow a series of machines with non-routable addresses to communicate.  We’ll use xx.xx.xx.29/24 as our public IP and we’ll NAT the 10.129.0.0/24 as the non-routable network.

Our router which will hold the iptables rules will be running Debian and is a Pentium III-S 1.2GHz machine with 2 NICs.  Designate a WAN and a LAN interface (I am using eth0 for my WAN and eth1 for my LAN) and assign your public IP xx.xx.xx.29 as the WAN IP address.  I’m not going to go into how one assigns addresses to interfaces using Debian – feel free to look that one up on your own.  Also assign an address from the non-routable subnet to the LAN interface – I’m going to use 10.129.0.1.

Before we configure iptables we should make sure that IP forwarding has been turned on – edit the sysctl.conf and uncomment net.ipv4.ip_forward=1.  Then execute “echo 1 > /proc/sys/net/ipv4/ip_forward” to enable ipv4 packet forwarding in the Linux kernel.  Let’s move on to the iptables config.

# flush all previous rules for filters and NAT then delete all chains
/sbin/iptables –flush
/sbin/iptables –table nat –flush
/sbin/iptables –delete-chain
/sbin/iptables –table nat –delete-chain

#enable forwarding and NAT masquerading
/sbin/iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
/sbin/iptables –append FORWARD –in-interface eth1 -j MASQUERADE

at this point you should restart IPTABLES and verify that your configuration is working.  Any client with a 10.129.0.x address with a 255.255.255.0 subnet mask and gateway of 10.129.0.1 which is logically connected to eth1 should be able to ping public IPs.  Areas where you may experience oddities if you have simply followed this to the letter:  I skipped over DNS name servers so you may be unable to ping hostnames where you can ping IPs.  If you are looking at an authenticated session from one of these NAT’d machines to a machine with a public IP you will see that the traffic is coming from xx.xx.xx.29.  This is because the NAT gateway is translating the unroutable 10.129.0.x address into a routable IP.  Also be aware that you can configure this same NAT gateway to function as a DHCP server.

Now, this is playing fast and loose – there’s kind of alot to IPTABLES when you start looking into chains and different types of firewalling – but this should help you flesh out your understanding of how a NAT gateway functions and give you some idea of how to apply it.