Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

6.3. Configuring NAT using nftables

With nftables, you can configure the following network address translation (NAT) types:
  • Masquerading
  • Source NAT (SNAT)
  • Destination NAT (DNAT)
  • Redirect

6.3.1. The different NAT types: masquerading, source NAT, destination NAT, and redirect

These are the different network address translation (NAT) types:

Masquerading and source NAT (SNAT)

Use one of these NAT types to change the source IP address of packets. For example, Internet Service Providers do not route private IP ranges, such as 10.0.0.0/8. If you use private IP ranges in your network and users should be able to reach servers on the Internet, map the source IP address of packets from these ranges to a public IP address.
Both masquerading and SNAT are very similar. The differences are:
  • Masquerading automatically uses the IP address of the outgoing interface. Therefore, use masquerading if the outgoing interface uses a dynamic IP address.
  • SNAT sets the source IP address of packets to a specified IP and does not dynamically look up the IP of the outgoing interface. Therefore, SNAT is faster than masquerading. Use SNAT if the outgoing interface uses a fixed IP address.

Destination NAT (DNAT)

Use this NAT type to route incoming traffic to a different host. For example, if your web server uses an IP address from a reserved IP range and is, therefore, not directly accessible from the Internet, you can set a DNAT rule on the router to redirect incoming traffic to this server.

Redirect

This type is a special case of DNAT that redirects packets to the local machine depending on the chain hook. For example, if a service runs on a different port than its standard port, you can redirect incoming traffic from the standard port to this specific port.

6.3.2. Configuring masquerading using nftables

Masquerading enables a router to dynamically change the source IP of packets sent through an interface to the IP address of the interface. This means that if the interface gets a new IP assigned, nftables automatically uses the new IP when replacing the source IP.
The following procedure describes how to replace the source IP of packets leaving the host through the ens3 interface to the IP set on ens3.

Procedure 6.9. Configuring masquerading using nftables

  1. Create a table:
    # nft add table nat
  2. Add the prerouting and postrouting chains to the table:
    # nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; }
    # nft add chain nat postrouting { type nat hook postrouting priority 100 \; }

    Important

    Even if you do not add a rule to the prerouting chain, the nftables framework requires this chain to match incoming packet replies.
    Note that you must pass the -- option to the nft command to avoid that the shell interprets the negative priority value as an option of the nft command.
  3. Add a rule to the postrouting chain that matches outgoing packets on the ens3 interface:
    # nft add rule nat postrouting oifname "ens3" masquerade

6.3.3. Configuring source NAT using nftables

On a router, Source NAT (SNAT) enables you to change the IP of packets sent through an interface to a specific IP address.
The following procedure describes how to replace the source IP of packets leaving the router through the ens3 interface to 192.0.2.1.

Procedure 6.10. Configuring source NAT using nftables

  1. Create a table:
    # nft add table nat
  2. Add the prerouting and postrouting chains to the table:
    # nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; }
    # nft add chain nat postrouting { type nat hook postrouting priority 100 \; }

    Important

    Even if you do add a rule to the postrouting chain, the nftables framework requires this chain to match outgoing packet replies.
    Note that you must pass the -- option to the nft command to avoid that the shell interprets the negative priority value as an option of the nft command.
  3. Add a rule to the postrouting chain that replaces the source IP of outgoing packets through ens3 with 192.0.2.1:
    # nft add rule nat postrouting oifname "ens3" snat to 192.0.2.1

Additional resources

6.3.4. Configuring destination NAT using nftables

Destination NAT enables you to redirect traffic on a router to a host that is not directly accessible from the Internet.
The following procedure describes how to redirect incoming traffic sent to port 80 and 443 of the router to the host with the 192.0.2.1 IP address.

Procedure 6.11. Configuring destination NAT using nftables

  1. Create a table:
    # nft add table nat
  2. Add the prerouting and postrouting chains to the table:
    # nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; }
    # nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
    

    Important

    Even if you do not add a rule to the postrouting chain, the nftables framework requires this chain to match outgoing packet replies.
    Note that you must pass the -- option to the nft command to avoid that the shell interprets the negative priority value as an option of the nft command.
  3. Add a rule to the prerouting chain that redirects incoming traffic on the ens3 interface sent to port 80 and 443 to the host with the 192.0.2.1 IP:
    # nft add rule nat prerouting iifname ens3 tcp dport { 80, 443 } dnat to 192.0.2.1
  4. Depending on your environment, add either a SNAT or masquerading rule to change the source address:
    1. If the ens3 interface used dynamic IP addresses, add a masquerading rule:
      # nft add rule nat postrouting oifname "ens3" masquerade
    2. If the ens3 interface uses a static IP address, add a SNAT rule. For example, if the ens3 uses the 198.51.100.1 IP address:
      # nft add rule nat postrouting oifname "ens3" snat to 198.51.100.1

Additional resources

6.3.5. Configuring a redirect using nftables

The redirect feature is a special case of destination network address translation (DNAT) that redirects packets to the local machine depending on the chain hook.
The following procedure describes how to redirect incoming and forwarded traffic sent to port 22 of the local host to port 2222.

Procedure 6.12. Configuring a redirect using nftables

  1. Create a table:
    # nft add table nat
  2. Add the prerouting chain to the table:
    # nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; }
    Note that you must pass the -- option to the nft command to avoid that the shell interprets the negative priority value as an option of the nft command.
  3. Add a rule to the prerouting chain that redirects incoming traffic on port 22 to port 2222:
    # nft add rule nat prerouting tcp dport 22 redirect to 2222

Additional resources