IPTables: NAT multiple IPs to one public IP

iptablesnat;

I'm looking for a way how to nat 2 or more inner IPs (in my case xen doms) to one outer IP.
I tried to use

iptables -t nat -A PREROUTING -d 123.123.123.123 -j DNAT –to 1.2.3.4 –to 1.2.3.7
iptables -t nat -A POSTROUTING -s 1.2.3.4 -j SNAT –to 123.123.123.123
iptables -t nat -A POSTROUTING -s 1.2.3.7 -j SNAT –to 123.123.123.123

And got an error:

iptables v1.4.14: DNAT: Multiple –to-destination not supported
Try `iptables -h' or 'iptables –help' for more information.

I found this in the manpage:

Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges anymore.

So my question is: Why is it not possible anymore and is there a workaround? Maybe I should use an other method I don't know yet?

EDIT:
The idea is to use the system like a router, so I have one address but multiple users behind. The problem is I don't know which connection reffers to a user (for example 1.2.3.4). But I know, they all have different ports open for incomming traffic.
So my solution (for DNAT) would be to nat all incoming connections to all users and filter all unused ports, so the connection goes to one single user. For outgoing traffic I would use

iptables -A FORWARD -i eth0 -d 1.2.3.4 -m state –state ESTABLISHED,RELATED -j ACCEPT

Best Answer

You can't do 1-to-1 NAT with only 1 outside IP address when you're working with 2 internal hosts. The reason is because the firewall will never have a true destination for outside source connections, unless one of the internal hosts is down. In this case, you would require 2 iptables rules to provide round-robin functionality:

$ipt -t nat -A PREROUTING -s $srcip -d $wanip -j DNAT --to 192.168.1.2
$ipt -t nat -A PREROUTING -s $srcip -d $wanip -j DNAT --to 192.168.1.3

Also, your "DNAT: Multiple --to-destination not supported" error comes from the capability of specifying more than 1 DNAT destination being removed from the version you're running (v1.4.14). This functionality was removed in favor of the round-robin functionality.

If you want to allow multiple hosts a connection to the internet, you must use the POSTROUTING chain of the NAT table as follows:

$ipt -t nat -A POSTROUTING -o $wanif -s $lan_network -j MASQUERADE

MASQUERADE is used with dynamic IP configurations. For static IP, use SNAT in place of MASQUERADE:

$ipt -t nat -A POSTROUTING -o $wanif -s $lan_network -j SNAT --to $wanip

This will not, however, make the open ports on your internal hosts available to the outside world. DNAT is used for outside->inside and SNAT is used for inside->outside for basic scenarios like yours.

Related Topic