[CentOS] A little iptables help

Aleksandar Milivojevic alex at milivojevic.org
Wed Sep 28 17:21:50 UTC 2005

Quoting Kirk Bocek <t004 at kbocek.com>:

> Hmmm, I may be unclear on this. When doing DNAT, is the source IP 
> address of the traffic coming from firewall and going to the internal 
> host set to the internal address of the firewall? Or does it remain 
> the address of the outside host that initiated the traffic in the 
> first place.
> I always *assumed* (a bad thing) that it was the latter. Thus my 
> statement regarding the need for SNAT on the outbound traffic.

You assumed right.  However, Netfilter is smart enough to change source 
on returning packet without explicit SNAT rule(s).  As long as incomming and
outgoing packets are going through same firewall (or unless you are doing
something else funky within your firewall rules).  You need explicit 
SNAT rules
only if you want to make outgoing connections from the hosts on local network.

Of course, if you want your internal hosts to see all connections as comming
from the firewall, you can do SNAT too.  For example, if they don't have
default route set or something like that...

On an example, it looks like this:

External interface of firewall receives:



Internal interface of firewall transmits and destination host receives:


Destination host transmits and internal interface of firewall receives:


Firewall knows it was doing DNAT on this specific connection, and 
rewrites source address.  You do not need explicit SNAT rule for this:

Automatic rewriting, no rules needed ->

Firewall transmits on its external interface:


This message was sent using IMP, the Internet Messaging Program.

More information about the CentOS mailing list