Debian iptables – How to Create a 1:1 NAT with iptables

Quick examples for forwarding traffic coming from outside and interfaces within the same machine from address original to another address for ip versions 4 and 6 (possibly excluding ipsec traffic with an endpoint on the original address and existing connections at point of execution). This also does NOT redirect traffic generated by locally executing programs, for that you need the OUTPUT chain.

#Activate forwarding
#Note: These forward settings are not reboot persistent
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv4.ip_forward=1

iptables -t nat -A PREROUTING -d original.add.re.ss -j DNAT --to-destination ipv4.add.re.ss
iptables -t nat -A POSTROUTING -j MASQUERADE

ip6tables -t nat -A PREROUTING -d [original.add.re.ss] -j DNAT --to-destination [2001::]
ip6tables -t nat -A POSTROUTING -j MASQUERADE

If you want to limit the forwarding to only packets from outside you have to modify the rules, either add a -i interface naming the interface where they come in or match everything that did not originate from a local address -m addrtype ! --src-type LOCAL. You could further exclude broadcast and multicast traffic by using -m addrtype --dst-type UNICAST --src-type UNICAST. You should also check that the default policy for the FORWARD chain is ACCEPT or add specific rules in that chain.

Dumping the existing filter and nat tables can be done with iptables -S -t filter and iptables -S -t nat. The filter table is where you configure the FORWARD rules if there is a DROP policy.The -A before PREROUTING/POSTROUTING means Append. If you need to insert the rule, because there is a DROP at the end, you have to use -I and put a number behind the chain name.