How to add with IPTables an Destination NAT.

Learn how to configure destination NAT (Network Address Translation) on Debian Linux with these examples.

Example 1: Destination NAT for a Single Port

If you want to forward incoming traffic on port 80 to the internal IP address 192.168.1.10, follow these steps:

  1. Open a terminal or SSH connection to your Debian Linux server.

  2. Execute the following command as the root user or with root privileges to add the destination NAT rule:

    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.10:80

    This command adds a rule to the NAT table, redirecting incoming TCP traffic on port 80 to the internal IP address 192.168.1.10, port 80.

  3. Save the iptables rules to persist them across reboots:

    iptables-save > /etc/iptables/rules.v4

  4. Restart the iptables service to apply the changes:

    systemctl restart iptables

Example 2: Destination NAT for a Port Range

If you want to forward incoming traffic for a range of ports (8000-9000) to the internal IP address 192.168.1.20, follow these steps:

  1. Open a terminal or SSH connection to your Debian Linux server.

  2. Execute the following command as the root user or with root privileges to add the destination NAT rule:

    iptables -t nat -A PREROUTING -p tcp --dport 8000:9000 -j DNAT --to-destination 192.168.1.20

    This command adds a rule to the NAT table, redirecting incoming TCP traffic for the port range 8000-9000 to the internal IP address 192.168.1.20.

  3. Save the iptables rules to persist them across reboots:

    iptables-save > /etc/iptables/rules.v4

  4. Restart the iptables service to apply the changes:

    systemctl restart iptables

Please note that these examples provide basic iptables NAT configuration rules. Depending on your system's requirements and configuration, additional rules may be necessary to achieve the desired functionality. Make sure to customize the rules accordingly and consult the documentation for further details.

IPTablesLinuxNATDNATFirewallDebian
Vote poor 0 Vote Helpfull 1
2023-06-28  
 A DynDNS Service from IPv64.net

The DynDNS service of IPv64.net is free of charge and usable in all common routers and systems. You have the choice between many different domain names.

  Healthcheck und Monitoring Service

The IPv64.net Healthchecks monitor your services, servers and endpoints. Receive notifications when your services fail. This monitoring service is free with all features.

IPv64 Mini Logo Register now

Registration with IPv64 is free of charge and immediately available for you.

Our Homelab recommendation

MikroTik Cloud Router Switch CRS326 Dual Boot Rackmount 10G Managed Switch, 24x SFP+, 2x QSFP+ (CRS326-24S+2Q+RM) MikroTik Cloud Router Switch CRS326 Dual Boot Rackmount 10G Managed Switch, 24x SFP+, 2x QSFP+ (CRS326-24S+2Q+RM)
~ 503.97 € Show me
Western Digital WD Red 4TB, 24/7, 512e / 3.5 Western Digital WD Red 4TB, 24/7, 512e / 3.5" / SATA 6Gb/s (WD40EFAX)
~ 129.90 € Show me