Forward 192.168.1.x to 95.211.x.x

Question

I want to forward an internal IP address to an external one.

So here's what I do:

echo 1 > /proc/sys/net/ipv4/ip_forward

Then I use iptables:

iptables -t nat -A PREROUTING -s 192.168.1.x  -j DNAT --to-destination 95.211.y.z
iptables -t nat -A POSTROUTING -j MASQUERADE

After this point, I'd expect to reach the server at 95.211.y.z when I ping 192.168.1.x . In other words, I'd expect all traffic that is directed towards the internal IP to be translated into that external IP but that doesn't happen.

Where am I wrong?

Answer 1

In this case, not necessarily, what you see in the ICMP client for example is what's really happening. The DNAT connection will work as expected, but for the ICMP client will keep showing you the private IP address.

Be sure too allow the response from the destination server to your client/network.

http://www.mad-hacking.net/documentation/linux/security/iptables/nat.xml

Answer 2

I'm assuming that you mean you want to be able to reach a host on the WAN from hosts on your LAN using an address in the private IP space. If that's not correct, then this answer may not be helpful.

You need to match traffic arriving on the LAN interface with a destination set to the private address you want to remap (192.168.1.5). You also only need to MASQUERADE traffic exiting on the WAN interface.

iptables -t nat -A PREROUTING -i ethLAN -d 192.168.1.5 -j DNAT --to-destination 95.211.1.1
iptables -t nat -A POSTROUTING -o ethWAN -j MASQUERADE

Your main error is that the -s should have been -d, but you should also specify the interfaces. You also need to make sure that you the private space address that you select is not in the same subnet as any network on your LAN. This is necessary because if you use an address on the same subnet, the originating host will send out ARP requests rather that sending the packet along the default route. No one will answer the ARP requests and the path you are trying to create will not work.