1 - 1 Static NAT and Dynamic using IPTables

Posted on 2006-05-18
Last Modified: 2012-05-05
I've been trying to get this scenario to work on a WRT54G 2.2 with DD-WRT v23-Final. (This runs a cut down version of Linux)

I have 5 external IP addresses (, 112 for example) , and an internal network with private addresses. (10.0.0.x).

I'd like to be able to do 1 - 1 NAT with four of the addresses, statically to internal hosts, with no port forwarding, so all traffic is forwarded straight through.

For example -> ->

I'd like the fifth address to be a 'catch-all' address and have any other internal addresses NAT'd to it. (I understand port forwarding would be needed here.)

For example ->,, etc

I think this is possible with IPTables, I'm just not sure of the chains/tables used within DD-WRT.

Can anyone suggest a solution?

I'd thought of not NATing the first 4 hosts, and giving the internal machines external addresses, although this is not ideal.

Question by:Orky
    LVL 19

    Expert Comment

    By using full-range port forwarding you're defeating the purpose of NAT completely, so I'm not sure why you'd describe it as "not ideal". Yes, iptables will happily do it, but I can't see the point for anything other then mere proof of concept.

    As far as the fifth is concerned, you can't forward the same port behind NAT to multiple IP addresses; that would mean converting direct packets to broadcasts and configuring the clients to listen accordingly (all starts getting very messy, complicated and not pretty).
    LVL 2

    Accepted Solution

    I have setup this type of configuration many times.  It is convienent to keep the NAT and allowed traffic seperate.  I use the NAT rules to assign 1-1 mappings, and then control the traffic with the forward rules.  Traffic control was not part of the question, so I won't address it.

    For each 1-1 nat you will need 2 rules.
    iptables -t nat -A PREROUTING -d <ExternalAddress> -j DNAT --to <InternalAddress>
    iptables -t nat -A POSTROUTING -s <InternalAddress> -j SNAT --to <ExternalAddress>

    For the catchall you will just do one rule, and the connection tracking will handle the return traffic.  If you insert this rule after the rules above you won't need to worry about excluding the addresses
    iptables -t nat -A POSTROUTING -s <InternalAddress/netmask> -j SNAT --to <ExternalAddress>

    You might still have some problems with ARP.  I am not familar with this on the Linksys with your firmware.  If it doesn't work when you setup the rules try adding static public arp entries for each public IP address that isn't the routers.
    arp -s <IPADDRESS> <Router External Mac> pub


    Author Comment

    Thanks, that seems to be right - even with the correct outside interfaces specified it wont work on my Linksys WRT54G. Thats for another question though!

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now