Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 04-19-2016, 12:36 AM   #1
LQ Newbie
Registered: Apr 2016
Posts: 2

Rep: Reputation: Disabled
Iptables -t nat :MASQUERADE & DNAT Q

If I do :

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Masquerade will change Src address to eth1 address. For reverse traffic, does it take care of Natting - ie does it change the destination address to that of internal ip address? If so, how does it remember internal address? If not, I guess I have to use DNAT, eg :

iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination

But when I use it, I get an error :
iptables: No chain/target/match by that name.

I am on 3.10.90-rt97+ on mips64.

Are there any kernel config flags that will enable DNAT & SNAT modules to be built in kernel? What are the module names (.ko) that I need to install?
Old 04-19-2016, 03:32 AM   #2
Registered: Apr 2010
Location: Kinshasa, Democratic Republic of Congo
Distribution: RHEL, Fedora, CentOS
Posts: 525

Rep: Reputation: 95

Your first assumptions are correct.
That is exactly what MASQUERADE does.
The kernel keeps tracks of original internal socket, mapping it to its outgoing socket, so it can reroute back the incoming responses.

Why did bother and tried the DNAT? Has the MASQUERADE failed?
If so, share the behaviour with MASQUERADE.
DNAT serves similar but different and more targeted purposes.
Old 04-19-2016, 10:22 AM   #3
Senior Member
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Is this a single box that is connected directly to the internet or are you routing traffic through it? If routing through it how many other devices are using it? Just trying to figure out why you are using MASQ or DNAT at all here.
Old 04-19-2016, 11:32 AM   #4
LQ Newbie
Registered: Apr 2016
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thanks - it seems MASQUERADE is doing reverse NAT too.

Reg. what I'm trying to do, I have an lxc container in a separate network namespace that has private ip. It needs to reach public ip via host's ethernet eth1 in a mgmt bridge. I setup a veth pair from container to host, assign two ends in respective name spaces and added default gateways form container to veth endpoint and from host to actual default gateway behind eth1. On host, I added iptables rule to MASQUERADE with output port being eth1. With this, I can ping from container (private ip) to external public ip, where iptables/MASQUERADE is natting src address for echo req. I had doubt about echo reply being reverse natted, but just tested and iptables seems to be reverse natting the destination address to original (container's) ip address. So I think I am good and do not need DNAT.

But still, I'd like to know how to enable DNAT/SNAT - ie which kernel modules/config flags to turn on. For eg, to turn on iptables, nat and MASQUERADE, I had to turn on :




and install:

insmod nf_nat_ipv4.ko
insmod iptable_nat.ko
insmod ipt_MASQUERADE.ko

Looking for similar .ko and flags for DNAT and SNAT.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenVPN - IPtables Issue: Cannot insert NAT MASQUERADE Holdont Linux - Networking 4 11-06-2015 02:45 AM
[SOLVED] iptables - NAT - multiple source exclusions for DNAT morphix Linux - Security 3 11-05-2013 04:53 AM
iptables masquerade nat portforwarding problem borborygmis Linux - Networking 5 08-14-2008 01:51 AM
MASQUERADE vs. DNAT/SNAT Palula Linux - Networking 9 08-12-2005 10:23 AM
iptables - true nat AND masquerade rebuke Linux - Security 3 11-11-2003 02:02 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:19 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration