Ranged 1:1 NAT with iptables

Posted on 2011-10-10
Medium Priority
Last Modified: 2012-05-12
I currently have two networks that I need to be able to talk to each other via a 1:1 NAT situation. I have a CentOS machine running iptables with a nic on each network, and would like to NAT a range of IP addresses between the two networks.
Even if it's a manual process rather than a couple of ranged commands, that's okay - I'm just struggling to get this working.

Basically, i'm trying to NAT 10.0.0.x/24 <--> 172.16.0.x/24

IPTables machine:

Computer A:
Computer B:

From computer A, I would like to be able to ping and that be mapped to computer B's IP,, and vice versa. If computer B pings, that should be mapped to computer A @
Is this possible with iptables to begin with, and what's the best way of going about this?

Question by:vixtro
  • 2
LVL 16

Accepted Solution

Blaz earned 2000 total points
ID: 36946960
Your problem is a bit more complex, because you want to NAT LAN addresses. The steps needed are:
1. configure ethernet aliases for additional IPs that the CentOS machine should NAT
2. configure NAT in iptables
3. allow the packets with firewall

1. For the above example you should add two virtual interfaces:
 eth0:0 with IP
 eth1:0 with IP

 See chapter 13.2.4. in http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-networkscripts-interfaces.html

2. You should configure NAT - you have to do this for each IP, but since you can do this with iptables command-line commands you could write a bash  script that would add a range of IPs

 For the above example:
 iptables -t nat -A PREROUTING -d -j DNAT --to-destination
 iptables -t nat -A PREROUTING -d -j DNAT --to-destination

 When doing "ping" from machine A you probably want to see on the machine B as the source IP and not, so you should  add also:
 iptables -t nat -A POSTROUTING -s -j DNAT --to-source
 iptables -t nat -A POSTROUTING -s -j DNAT --to-source

3. The firewall should allow packet traversal. This includes enabled packet forwarding and firewall allowing packets:

 echo 1 > /proc/sys/net/ipv4/ip_forward

 iptables -t filter -A FORWARD -d -j ACCEPT
 iptables -t filter -A FORWARD -d -j ACCEPT

Author Comment

ID: 36952963
Thanks for your reply Blaz,

Your post got me 99% of the way there, although I did have to change one thing along the way.
 iptables -t nat -A POSTROUTING -s -j DNAT --to-source
 iptables -t nat -A POSTROUTING -s -j DNAT --to-source

These two lines caused issues - I kept getting "Unknown arg --to-source", which makes sense as it's trying to do a DNAT to a source. So, i changed DNAT to SNAT so the lines read
 iptables -t nat -A POSTROUTING -s -j SNAT --to-source
 iptables -t nat -A POSTROUTING -s -j SNAT --to-source

and that works as expected.
I have verified that the aliases and forwarding works as expected, as when I shutdown the network interfaces on computer A when pinging from computer B, the ping stops, and resumes when the interfaces come back up.
Thanks for your help!
LVL 16

Expert Comment

ID: 36953590
Sorry for that - it was a typo.

I'm glad that you got it working.

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

587 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question