Monday 7 March 2016

Setting up PAT with IPTables on Debian

For this tutorial I will outline two common PAT configurations - the first one is where we have a host with a single NIC and will forward traffic from a specific / it's own local subnet:

We should firstly ensure IP forwarding is turned on in the kernel:

echo 1 > /proc/sys/net/ipv4/ip_forward

Edit the sysctl.conf file:

sudo vi /etc/sysctl.conf

and add:

net.ipv4.ip_forward = 1

For security we should also disable ICMP redirects by setting:

net.ipv4.conf.eth0.send_redirects = 0

and then run the following to apply the changes:

sudo sysctl -p /etc/sysctl.conf

We should proceed by setting up masqerrading and NAT with iptables:

iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE

* The above command appends a new rule to the POSTROUTING chain of the NAT table that allows agress packets on eth0 that match the source of to 'masquerade' (take the IP address of the router's interface).

We can review our rules with:

sudo iptables -vL -t nat

We should then ensure our rules persist a reboot by issuing:

iptables-save > /etc/iptables.up.rules

The second scenerio is where we have a host with two NICs - one of which hosts an internal client range ( and another which will act as the outside network ( - we would like all egress traffic from a specific internal subnet to be NAT'd out from the outside interface address of

iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -s -o eth0 -j ACCEPT

* Where eth0 is on our EXTERNAL subnet and eth1 is on our INTERNAL network. *


Post a Comment