Linux NAT router

This document presents some commands to configure a Linux NAT router in an IPv4 network. NAT means Network Address Translation and has been designed to provide Internet connectivity when there is only a limited number of addresses assigned to a network.

Network architecture

For the sake of clarity, this document uses following interface names and network addresses:

               |             Linux              |      Private Network
Internet ------| eth0        Router        eth1 |----- (Wifi, VPN...)
               | |
               +--------------------------------+             |
                                                         | Private |
                                                         |  Host   |

Hosts connected to the private network don’t have public IPv4 addresses and are configured to connect to the Internet via a router sitting at

To configure the router so that the private host gets access to the Internet, you need to issue following commands on the Linux router:

  • Configure the firewall to do NAT:

    # If the public address ( is static, use this command
    iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to-source
    # Otherwise if the public address is dynamic, use this command
    iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
  • Configure the firewall to allow packet forwarding:

    iptables -A FORWARD -s -i eth1 -o eth0 -j ACCEPT
    iptables -A FORWARD -d -i eth0 -o eth1 -j ACCEPT
  • Enable packet forwarding via sysctl (sysctl -w writes to /proc/sys/...):

    sysctl -w net.ipv4.conf.eth0.forwarding=1
    sysctl -w net.ipv4.conf.eth1.forwarding=1
    # Previous entries may not exists in old kernels. In such case, use:
    # sysctl -w net.ipv4.ip_forward=1
    # ... which acts like: sysctl -w net.ipv4.conf.all.forwarding=1

Persistent configuration

You may create following files to write your configuration in a way it is kept across rebooting.

/etc/iptables/iptables.rules (please adapt this path according to your Linux distribution):

# (... INPUT and OUTPUT filters ...)
-A FORWARD -s -i eth1 -o eth0 -j ACCEPT
-A FORWARD -d -i eth0 -o eth1 -j ACCEPT

-A POSTROUTING -s -o eth0 -j SNAT --to-source

/etc/sysctl.d/ip_forward.conf (or /etc/sysctl.conf on old systems):