This follows on from concepts explained in If we all have the same IP addresses how does the internet work?

The high level problems

I have a Linux server machine connected to my laptop via Ethernet. How can I change the destination of where data flows?

I want to be able to say

• Any traffic coming in over Ethernet for IP address 98.76.54.32, route it to the server on my other laptop with address 10.0.0.6. This is changing the Destination Address of a packet., or DNAT: (changing the) Destination Network Address Table to a specific address.
• I want to be able to send stuff sent over Ethernet with an internal IP address, and route it to external servers. In effect I want to make the data from my server machine be sent to the internet, with the IP address of my laptop. This is changing the Source address of a packet, or SNAT: (changing the) Source Network Address Table to a specific address.

The home address of my z/OS system was 10.1.1.2. My Linux machine has IP address 192.168.1.139.

Kindergarden concepts of a router

Traffic comes in to a router. There are rules which control how traffic is routed, for example this address range should go down the Ethernet connection, anything else (the default) goes over the wireless connection.

Below the surface

I picture the router as 3 boxes in a row. Before – router – after.

• Before: You can specify rules to be applied before the data gets to the routing code. This allows you to change information in the packet header, such as destination, or port address. The rule type for this are called PREROUTING. The packet then flows into…
• The router: This decides where each packet goes. The packet the flows into…
• After: You can change the packets before it gets send down the interface. This rule type is POSTROUTING.

Changing the destination

The command on my Linux laptop

iptables -t nat -A PREROUTING -p tcp --dport 1122 -j DNAT --to-destination 10.0.0.6:3344

Send all TCP traffic destined for port 1122 to the machine with IP address 10.0.0.6, and change the port to 3344.

It is PREROUTING, meaning that make the change before any routing decisions are made.

Changing the source – getting the data to the outside world

The following command on my Linux laptop

iface=wlxcc641aee92c5sudo iptables -t nat -A POSTROUTING -s 10.1.1.2 -o $iface -j SNAT --to-source 192.168.1.139

tells Linux to take any traffic from 10.1.1.2, send it over the interface wlxcc641aee92c5 and change the Source Network Address Translation (SNAT) so it looks like it came from 192.168.1.139 ( my wireless interface).

This is POSTROUTING because the routing decision has already been made, and the data is ready to be sent over the interface(eg wireless).

This is fine as long as you know the IP address of your interface (192.168.1.139). If your router has DHCP, the Linux may get a different address every time. In this case you can use

iface=wlxcc641aee92c5sudo iptables -t nat -A POSTROUTING -s 10.1.1.2  -o wlxcc641aee92c5 -j MASQUERADE

which I believe says for the specified source address 10.1.1.2 and use the address of the -o output device.

You might just use the MASQUERADE option every time as it is easier to type.

If you want to specify all traffic (or just want it to work) you can omit the -s

iface=wlxcc641aee92c5sudo iptables -t nat -A POSTROUTING -o $iface -j MASQUERADE

There are some good examples here.

Published December 6, 2025

Post navigation