DNAT using Iptables Rumi, January 12, 2009 Before I start I DNAT, I’d better say what it does- The DNAT target is used to do Destination Network Address Translation, which means that it is used to rewrite the Destination IP address of a packet. If a packet is matched, and this is the target of the rule, the packet, and all subsequent packets in the same stream will be translated, and then routed on to the correct device, host or network. This target can be extremely useful, for example,when you have a host running your web server inside a LAN, but no real IP to give it that will work on the Internet. You could then tell the firewall to forward all packets going to its own HTTP port, on to the real web server within the LAN. We may also specify a whole range of destination IP addresses, and the DNAT mechanism will choose the destination IP address at random for each stream. Hence, we will be able to deal with a kind of load balancing by doing this. Note that the DNAT target is only available within the PREROUTING and OUTPUT chains in the nat table, and any of the chains called upon from any of those listed chains. Note that chains containing DNAT targets may not be used from any other chains, such as the POSTROUTING chain. So, let’s see it in action. Here’s the scenerio- FIREWALL EXT INTERFACE: 65.222.35.249 FIREWALL INT INTERFACE: 192.168.0.248 WEB HOST: 192.168.0.5 Here’s the small little line to be added to /etc/sysconfig/iptables -A PREROUTING -p tcp -m tcp -d 65.222.35.249 –dport 80 -j DNAT –to-destination 192.168.0.5 Walla! it’s done. I assume 65.222.35.249 is a virtual IP on Ext eth and you want your visitors to view websites on 192.168.0.5 machine- which basically sits behind the firewall and you want to destination NAT through 65.222.35.249. Administrations Configurations (Linux)