I have been trying create nat static nat rule(one to one) but rule is not working.

First let me say that my purpose is to get a stable 1:1 NAT working.

I have 2 static IPs from my ISP and I wanted to assign one of staic ip to internal desktop from we will access application.

Our internet is in bridge mode and we have configured 1 static ip in our linux router and for another we are trying to do nat.

Our Linux Gateway is having 2 interface :-

eth1 : WAN (1.16.16.44)
eth2: LAN

The rule we are applying is given below:-

*nat
-A PREROUTING -d 1.16.16.43 -i eth1 -j DNAT --to-destination 192.168.1.200
-A POSTROUTING -s 192.168.1.200 -o eth1 -j SNAT --to-source 1.16.16.43


-A FORWARD -s 1.16.16.43 -j ACCEPT
-A FORWARD -d 1.16.16.43 -j ACCEPT
-A FORWARD -s 192.168.1.200 -j ACCEPT
-A FORWARD -d 192.168.1.200 -j ACCEPT


1.16.16.43 is static wan ip
192.168.1.200 is lan ip

Is there something I'm missing here? I'm just trying to setup some kind of 1:1 NAT so that I can use my private side address scheme for my internal network and still be able to have a complete set of ports for each of these gaming systems to utilize. I'm completely out of ideas here.


We have to setup nat public to private and redirect all the traffic send to external to internal and vice versa.


Any comments or suggestions would be appreciated.

Besides that once time you have .44 as WAN IP and inside your iptables rules you have .43 I can't see any errors. Are those the only rules in place? If not please give complete list of rules with iptables-save.

To debug iptables rules I use a lot of -j LOG --log-ip-options --log-prefix "Nat-POST-o-eth1" kinda like rules. This allows me to tail /var/log/syslog and see whats up and where the packets go through. Also tcpdump makes a nice tool for debugging. Also the connection tracking part of /proc or the binaries might come in handy.

Please find iptable rule as asked for.

# Generated by iptables-save v1.4.9 on Mon Aug 19 10:28:06 2013
*mangle
:PREROUTING ACCEPT [1142:229312]
:INPUT ACCEPT [364:39004]
:FORWARD ACCEPT [769:189480]
:OUTPUT ACCEPT [334:40932]
:POSTROUTING ACCEPT [1103:230412]
COMMIT
# Completed on Mon Aug 19 10:28:06 2013
# Generated by iptables-save v1.4.9 on Mon Aug 19 10:28:06 2013
*nat
:PREROUTING ACCEPT [1:48]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 1.16.16.43 -i eth1 -j DNAT --to-destination 192.168.1.200
-A POSTROUTING -s 192.168.1.200 -o eth1 -j SNAT --to-source 1.16.16.43
-A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -s 192.168.1.0/24 -j ACCEPT
-A POSTROUTING -d 192.168.1.0/24 -j ACCEPT
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j SNAT --to-source 1.16.16.44
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -o eth2 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -d 192.168.1.0/24 -j ACCEPT
COMMIT
# Completed on Mon Aug 19 10:28:06 2013
# Generated by iptables-save v1.4.9 on Mon Aug 19 10:28:06 2013
*filter
:INPUT ACCEPT [131:9532]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [96:10868]
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 4500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 3389 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 50:58 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 50:58 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -s 122.180.106.168/30 -i eth1 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i eth1 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT

-A FORWARD -s 1.16.16.43 -j ACCEPT
-A FORWARD -d 1.16.16.43 -j ACCEPT
-A FORWARD -s 192.168.1.200 -j ACCEPT
-A FORWARD -d 192.168.1.200 -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
COMMIT
# Completed on Mon Aug 19 10:28:06 2013

Please find iptable rule as asked for.

# Generated by iptables-save v1.4.9 on Mon Aug 19 10:28:06 2013
*mangle
:PREROUTING ACCEPT [1142:229312]
:INPUT ACCEPT [364:39004]
:FORWARD ACCEPT [769:189480]
:OUTPUT ACCEPT [334:40932]
:POSTROUTING ACCEPT [1103:230412]
COMMIT
# Completed on Mon Aug 19 10:28:06 2013
# Generated by iptables-save v1.4.9 on Mon Aug 19 10:28:06 2013
*nat
:PREROUTING ACCEPT [1:48]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -d 1.16.16.43 -i eth1 -j DNAT --to-destination 192.168.1.200
-A POSTROUTING -s 192.168.1.200 -o eth1 -j SNAT --to-source 1.16.16.43
-A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -s 192.168.1.0/24 -j ACCEPT
-A POSTROUTING -d 192.168.1.0/24 -j ACCEPT
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j SNAT --to-source 1.16.16.44
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/24 -o eth2 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -d 192.168.1.0/24 -j ACCEPT
COMMIT
# Completed on Mon Aug 19 10:28:06 2013
# Generated by iptables-save v1.4.9 on Mon Aug 19 10:28:06 2013
*filter
:INPUT ACCEPT [131:9532]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [96:10868]
-A INPUT -p ah -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 4500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 3389 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 3389 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 50:58 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 50:58 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -s 122.180.106.168/30 -i eth1 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i eth1 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT

-A FORWARD -s 1.16.16.43 -j ACCEPT
-A FORWARD -d 1.16.16.43 -j ACCEPT
-A FORWARD -s 192.168.1.200 -j ACCEPT
-A FORWARD -d 192.168.1.200 -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
COMMIT
# Completed on Mon Aug 19 10:28:06 2013

Okay first two rules get your 1:1 NAT up. Rule 3 and 4 have your internal network to be accepted. That means rules 6 & 7 dont work for the internal network. Cause ACCEPT is a ending target so rule traversel stops there. I did not found any DNAT counterpart for rule 8. Rule 10 will have no effect due to rule 4 accepting the packets. Rule 12 is a duplicate of rule 5.

Also some rules dont make sense for me I do not see anything that would stop 1:1 nat here. What is the actually error or problem you have.
To debug this further setup some -j LOG rules.

You activated forwarding on this machine? sysctl net.ipv4.ip_forwarding=1

It is working now, we have created virtual interface for public ip now we can access machine using public ip but the issue is when we are trying to do whatismyip.com then 1.16.16.44 is appearing.

The traffic should go using 1.16.16.43 from the desktop

Desktop local ip : 192.168.1.200
netmask : 255.255.255.0
gw : 192.168.1.1
Nat : 1.16.16.43

Please help

It is working now, we have created virtual interface for public ip now we can access machine using public ip but the issue is when we are trying to do whatismyip.com then 1.16.16.44 is appearing instead of 1.16.16.43

Traffic is also goign through 1.16.16.44 but the traffic should go using 1.16.16.43 from the desktop

Desktop local ip : 192.168.1.200
netmask : 255.255.255.0
gw : 192.168.1.1
Nat : 1.16.16.43

Please help.

I'd say the DNAT/SNAT rules for your machine are not working propably. Or maybe the route of the host is mixed up. Please provide the output of
if you dont have the iproute2 package use following

Please find below output :-

ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:24:01:0c:bd:fd brd ff:ff:ff:ff:ff:ff
3: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:21:91:54:0a:b2 brd ff:ff:ff:ff:ff:ff

ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:24:01:0c:bd:fd brd ff:ff:ff:ff:ff:ff
inet 1.16.16.44/24 brd 1.16.16.255 scope global eth1
inet 1.16.16.43/24 brd 1.16.16.255 scope global secondary eth1:1
inet6 fe80::224:1ff:fe0c:bdfd/64 scope link
valid_lft forever preferred_lft forever
3: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:21:91:54:0a:b2 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth2
inet6 fe80::221:91ff:fe54:ab2/64 scope link
valid_lft forever preferred_lft forever


ip route
192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.1 metric 1
1.16.16.0/24 dev eth1 proto kernel scope link src 1.16.16.44 metric 1
default via 1.16.16.1 dev eth1 proto static

The nic has the primary IP of 1.16.16.44. So every package going out will have that IP. I'm not to sure about this but I read some things about two IPs from the same subnet on one nic. This could be done with routes. Check the lartc document on tldp.org.
But first to be sure that this is the cause try removing the IP 1.16.16.44 and only have the .43 remain. See if this works out. After that add the 1.16.16.44 as the second IP and redo testing. Just to make sure that two IP's really do trouble.

Can you please send me a link(URL) ?

http://www.tldp.org/HOWTO/pdf/Adv-Routing-HOWTO.pdf
Just beware that this is a tough read but very rewarding once you gasp it.

Also I would first see if the two IP are really the cause or if your iptables are still not really kciking in.