Ubuntu IP Masquerading (NAT)

For example, I will configure IPv4 masquerading (NAT) on Ubuntu Server.
First you need to enable packet forwarding in /etc/sysctl.conf so that traffic can walk between different network interfaces.
Let’s check the current status:

sysctl net.ipv4.conf.all.forwarding
cat /proc/sys/net/ipv4/ip_forward

If it is 0, then enable it with the following command:

sysctl -w net.ipv4.conf.all.forwarding=1

To keep this after the system restart, open the file /etc/sysctl.conf for example in the nano editor (Ctrl + X to exit, y / n to save or discard changes):

nano /etc/sysctl.conf

And add the line:


If necessary, you can clear existing NAT rules:

iptables -t nat --flush

Now it remains to add a rule to iptables, for example:

iptables -t nat -A POSTROUTING -s -j SNAT --to-source

Where, internal network, and the address through which you need to go to the Internet, similarly prescribed other internal networks.
Let me remind the mask for private networks:

If the IP address on the external network interface changes (dynamic), then instead of SNAT we specify MASQUERADE:

iptables -t nat -A POSTROUTING -s -j MASQUERADE

Do not forget to save the added iptables rules.
For example, you can open the network interface configuration file (its contents are loaded at system startup):

nano /etc/network/interfaces

And at the end add iptables rules, for example I will indicate the masquerading of this network at once to several IP addresses, and also with the indication of the network interface:

post-up /sbin/iptables -t nat -A POSTROUTING -s -o eth3 -j SNAT --to-source --persistent

Or add to the file:

nano /etc/rc.local
/sbin/iptables -t nat -A POSTROUTING -s -o eth3 -j SNAT --to-source --persistent

I recommend to specify the outgoing network interface, if you do not specify it, then local traffic will return to the network under NAT IP.
If there are several outgoing interfaces, let’s say the load is balanced through BGP, etc., then we indicate with two rules:

/sbin/iptables -t nat -A POSTROUTING -s -o eth3 -j SNAT --to-source --persistent
/sbin/iptables -t nat -A POSTROUTING -s -o eth4 -j SNAT --to-source --persistent

You can see under which IP address of the NAT the traffic of the gray IP address goes out, as well as all connections:

conntrack -L
conntrack -L -p tcp --dport 25
conntrack -L | grep > ixnfo.com.txt

See also my articles:
NAT Modules for VPN, FTP, SIP
Difference between MASQUERADE and SNAT
Configuring IPTables
How to fix the error “nf_conntrack: table full, dropping package”
Using Linux ISG

Leave a comment

Leave a Reply