Configure NAT masquerading in iptables

When running your computer as a router or server that involves forwarding data, it is important to configure NAT masquerading within your Linux machine. Without this, the packets will not be able to make it to a different subnet/network.

NAT Masquerading

The act of masquerading within NAT allows network traffic to traverse another network. For instance, if I was to configure a VPN server to route all incoming packets to my LAN, I would need to configure masquerading. Let’s go ahead and use iptables to do just that.

We will need to add a NAT rule that masquerades all outgoing traffic to a specific interface. In routers that would be our WAN interface, and for VPN servers our LAN interface. For example, run the following command in the shell terminal:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

We are now telling iptables to append a NAT rule to our POSTROUTING chain. This chain in particular is for traffic that has already been filtered by iptables and is ready to exit the machine. It is especially important to configure an outgoing network interface for our masquerade.

Make sure that your rule has been configured successfully.

sudo iptables -t nat -L

Also, you can see if traffic is passing through the rule in the POSTROUTING chain by running this command in our shell terminal:

sudo iptables -t nat -L -v
NAT masquerading

The number of packets and bytes for traffic that has passed through the rule are here. If those numbers are higher than 0, that means network traffic is passing through our interface with success.

We have successfully configured NAT masquerading!