[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 916
  • Last Modified:

1 - 1 Static NAT and Dynamic using IPTables

I've been trying to get this scenario to work on a WRT54G 2.2 with DD-WRT v23-Final. (This runs a cut down version of Linux)

I have 5 external IP addresses (, 112 for example) , and an internal network with private addresses. (10.0.0.x).

I'd like to be able to do 1 - 1 NAT with four of the addresses, statically to internal hosts, with no port forwarding, so all traffic is forwarded straight through.

For example -> ->

I'd like the fifth address to be a 'catch-all' address and have any other internal addresses NAT'd to it. (I understand port forwarding would be needed here.)

For example ->,, etc

I think this is possible with IPTables, I'm just not sure of the chains/tables used within DD-WRT.

Can anyone suggest a solution?

I'd thought of not NATing the first 4 hosts, and giving the internal machines external addresses, although this is not ideal.

1 Solution
By using full-range port forwarding you're defeating the purpose of NAT completely, so I'm not sure why you'd describe it as "not ideal". Yes, iptables will happily do it, but I can't see the point for anything other then mere proof of concept.

As far as the fifth is concerned, you can't forward the same port behind NAT to multiple IP addresses; that would mean converting direct packets to broadcasts and configuring the clients to listen accordingly (all starts getting very messy, complicated and not pretty).
I have setup this type of configuration many times.  It is convienent to keep the NAT and allowed traffic seperate.  I use the NAT rules to assign 1-1 mappings, and then control the traffic with the forward rules.  Traffic control was not part of the question, so I won't address it.

For each 1-1 nat you will need 2 rules.
iptables -t nat -A PREROUTING -d <ExternalAddress> -j DNAT --to <InternalAddress>
iptables -t nat -A POSTROUTING -s <InternalAddress> -j SNAT --to <ExternalAddress>

For the catchall you will just do one rule, and the connection tracking will handle the return traffic.  If you insert this rule after the rules above you won't need to worry about excluding the addresses
iptables -t nat -A POSTROUTING -s <InternalAddress/netmask> -j SNAT --to <ExternalAddress>

You might still have some problems with ARP.  I am not familar with this on the Linksys with your firmware.  If it doesn't work when you setup the rules try adding static public arp entries for each public IP address that isn't the routers.
arp -s <IPADDRESS> <Router External Mac> pub

OrkyAuthor Commented:
Thanks, that seems to be right - even with the correct outside interfaces specified it wont work on my Linksys WRT54G. Thats for another question though!

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now