Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

6.3. Configuring NAT using nftables

With nftables, you can configure the following network address translation (NAT) types:
  • Masquerading
  • Source NAT (SNAT)
  • Destination NAT (DNAT)
  • Redirect
These are the different network address translation (NAT) types:

Masquerading and source NAT (SNAT)

Use one of these NAT types to change the source IP address of packets. For example, Internet Service Providers do not route private IP ranges, such as 10.0.0.0/8. If you use private IP ranges in your network and users should be able to reach servers on the Internet, map the source IP address of packets from these ranges to a public IP address.
Both masquerading and SNAT are very similar. The differences are:
  • Masquerading automatically uses the IP address of the outgoing interface. Therefore, use masquerading if the outgoing interface uses a dynamic IP address.
  • SNAT sets the source IP address of packets to a specified IP and does not dynamically look up the IP of the outgoing interface. Therefore, SNAT is faster than masquerading. Use SNAT if the outgoing interface uses a fixed IP address.

Destination NAT (DNAT)

Use this NAT type to route incoming traffic to a different host. For example, if your web server uses an IP address from a reserved IP range and is, therefore, not directly accessible from the Internet, you can set a DNAT rule on the router to redirect incoming traffic to this server.

Redirect

This type is a special case of DNAT that redirects packets to the local machine depending on the chain hook. For example, if a service runs on a different port than its standard port, you can redirect incoming traffic from the standard port to this specific port.

6.3.2. Configuring masquerading using nftables
Copy link

Masquerading enables a router to dynamically change the source IP of packets sent through an interface to the IP address of the interface. This means that if the interface gets a new IP assigned, nftables automatically uses the new IP when replacing the source IP.
The following procedure describes how to replace the source IP of packets leaving the host through the ens3 interface to the IP set on ens3.

Procedure 6.9. Configuring masquerading using nftables

  1. Create a table: 
    # nft add table nat
    Copy to Clipboard Toggle word wrap
  2. Add the prerouting and postrouting chains to the table: 
    # nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; }
# nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
    Copy to Clipboard Toggle word wrap

    Important

    Even if you do not add a rule to the prerouting chain, the nftables framework requires this chain to match incoming packet replies.
    Note that you must pass the -- option to the nft command to avoid that the shell interprets the negative priority value as an option of the nft command.
  3. Add a rule to the postrouting chain that matches outgoing packets on the ens3 interface: 
    # nft add rule nat postrouting oifname "ens3" masquerade
    Copy to Clipboard Toggle word wrap

6.3.3. Configuring source NAT using nftables
Copy link

On a router, Source NAT (SNAT) enables you to change the IP of packets sent through an interface to a specific IP address.
The following procedure describes how to replace the source IP of packets leaving the router through the ens3 interface to 192.0.2.1.

Procedure 6.10. Configuring source NAT using nftables

  1. Create a table: 
    # nft add table nat
    Copy to Clipboard Toggle word wrap
  2. Add the prerouting and postrouting chains to the table: 
    # nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; }
# nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
    Copy to Clipboard Toggle word wrap

    Important

    Even if you do not add a rule to the prerouting chain, the nftables framework requires this chain to match outgoing packet replies.
    Note that you must pass the -- option to the nft command to avoid that the shell interprets the negative priority value as an option of the nft command.
  3. Add a rule to the postrouting chain that replaces the source IP of outgoing packets through ens3 with 192.0.2.1: 
    # nft add rule nat postrouting oifname "ens3" snat to 192.0.2.1
    Copy to Clipboard Toggle word wrap

Additional resources

6.3.4. Configuring destination NAT using nftables
Copy link

Destination NAT enables you to redirect traffic on a router to a host that is not directly accessible from the Internet.
The following procedure describes how to redirect incoming traffic sent to port 80 and 443 of the router to the host with the 192.0.2.1 IP address.

Procedure 6.11. Configuring destination NAT using nftables

  1. Create a table: 
    # nft add table nat
    Copy to Clipboard Toggle word wrap
  2. Add the prerouting and postrouting chains to the table: 
    # nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; }
# nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
    Copy to Clipboard Toggle word wrap

    Important

    Even if you do not add a rule to the postrouting chain, the nftables framework requires this chain to match outgoing packet replies.
    Note that you must pass the -- option to the nft command to avoid that the shell interprets the negative priority value as an option of the nft command.
  3. Add a rule to the prerouting chain that redirects incoming traffic on the ens3 interface sent to port 80 and 443 to the host with the 192.0.2.1 IP: 
    # nft add rule nat prerouting iifname ens3 tcp dport { 80, 443 } dnat to 192.0.2.1
    Copy to Clipboard Toggle word wrap
  4. Depending on your environment, add either a SNAT or masquerading rule to change the source address:
    1. If the ens3 interface used dynamic IP addresses, add a masquerading rule: 
      # nft add rule nat postrouting oifname "ens3" masquerade
      Copy to Clipboard Toggle word wrap
    2. If the ens3 interface uses a static IP address, add a SNAT rule. For example, if the ens3 uses the 198.51.100.1 IP address: 
      # nft add rule nat postrouting oifname "ens3" snat to 198.51.100.1
      Copy to Clipboard Toggle word wrap

Additional resources

6.3.5. Configuring a redirect using nftables
Copy link

The redirect feature is a special case of destination network address translation (DNAT) that redirects packets to the local machine depending on the chain hook.
The following procedure describes how to redirect incoming and forwarded traffic sent to port 22 of the local host to port 2222.

Procedure 6.12. Configuring a redirect using nftables

  1. Create a table: 
    # nft add table nat
    Copy to Clipboard Toggle word wrap
  2. Add the prerouting chain to the table: 
    # nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; }
    Copy to Clipboard Toggle word wrap
    Note that you must pass the -- option to the nft command to avoid that the shell interprets the negative priority value as an option of the nft command.
  3. Add a rule to the prerouting chain that redirects incoming traffic on port 22 to port 2222: 
    # nft add rule nat prerouting tcp dport 22 redirect to 2222
    Copy to Clipboard Toggle word wrap

Additional resources

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat