Installing and configuring xt_NAT

I will give an example of installing and configuring xt_NAT on Ubuntu Server 14.04 with kernel version 4.4.0-142. xt_NAT may not work on newer kernel versions. According to the developer, it should work on Linux Kernel 3.18 and 4.1. To make it work on newer versions of the kernel, you can find patches.

Let’s enable packet forwarding between interfaces, and also specify in the /etc/sysctl.conf file:

cat /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.conf.all.forwarding=1

nano /etc/sysctl.conf

Switch to root user and install the necessary components:

sudo -i
apt install xtables-addons-source

Download xt_NAT:

git clone

I also saved it here just in case.

Let’s perform the installation:

cd xt_NAT
make install
depmod -a

After installing xt_NAT, load the module indicating the range of IP addresses for NAT (not the client’s network):

modprobe xt_NAT nat_pool=

Example of unloading a module:

modprobe -r xt_NAT

You can also transfer statistics to Netflow v5, for this we specify the collector address in “nf_dest”, for example:

modprobe xt_NAT nat_pool= nf_dest=

Disable conntrack for xt_NAT traffic (where is the client’s network):

iptables -t raw -A PREROUTING -s -j CT --notrack
iptables -t raw -A PREROUTING -d <NAT Pool Net> -j CT --notrack

Add iptables rules to use the xt_NAT module for user traffic (eth0 – uplink interface, eth1 – towards clients):

iptables -t raw -A PREROUTING -d <NAT Pool Net> -j NAT --dnat
iptables -A FORWARD -d -i eth0 -o eth1 -j ACCEPT
iptables -A FORWARD -s -i eth1 -o eth0 -j NAT --snat

On the second network interface, which looks towards the clients, we indicate the IP address in /etc/network/interfaces, or temporarily with the command:

ifconfig eth1 inet netmask

In the files below you can see statistics and, for example, draw graphs on it in Zabbix:
/proc/net/NAT/sessions (Proto SrcIP:SrcPort -> NatIP:NatPort)

See also my articles:
Ubuntu IP Masquerading (NAT)
Difference between MASQUERADE and SNAT

Leave a comment

Leave a Reply