When you need to redirect traffic from one internal IP to another within the same network, iptables' NAT capabilities provide an efficient solution. This is particularly useful when:
- Migrating services between servers without changing client configurations
- Creating transparent proxies or load balancers
- Implementing security through indirection
For forwarding TCP port 80 traffic from 192.168.12.87 to 192.168.12.77:
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# PREROUTING rule for destination NAT
iptables -t nat -A PREROUTING -d 192.168.12.87 -p tcp --dport 80 -j DNAT --to-destination 192.168.12.77:80
# POSTROUTING rule for source NAT (masquerade)
iptables -t nat -A POSTROUTING -p tcp -d 192.168.12.77 --dport 80 -j SNAT --to-source 192.168.12.87
# Optional: Allow forwarded traffic in FORWARD chain
iptables -A FORWARD -d 192.168.12.77 -p tcp --dport 80 -j ACCEPT
1. Using nftables (modern replacement for iptables)
nft add table ip nat
nft add chain ip nat prerouting { type nat hook prerouting priority 0 \; }
nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; }
nft add rule ip nat prerouting ip daddr 192.168.12.87 tcp dport 80 dnat to 192.168.12.77:80
nft add rule ip nat postrouting ip daddr 192.168.12.77 tcp dport 80 snat to 192.168.12.87
2. Using socat for temporary redirection
socat TCP4-LISTEN:80,fork,reuseaddr TCP4:192.168.12.77:80
After implementing the rules:
# Check NAT rules
iptables -t nat -L -v -n
# Test connectivity
curl -v http://192.168.12.87
tcpdump -i any host 192.168.12.77 and port 80
- Ensure both machines have proper route configurations
- Adjust firewall rules on both source and destination hosts
- For persistent rules, save them using
iptables-save > /etc/iptables.rules - Consider connection tracking implications for stateful protocols
Symptom: Connections time out
Solution: Verify that the destination service is running and accessible from the intermediate host
Symptom: DNAT works but return traffic fails
Solution: Ensure proper SNAT/MASQUERADE rules and check reverse path filtering settings
When you need to redirect traffic from one internal IP to another within the same network, iptables' NAT capabilities provide the most efficient solution. For your specific case where traffic destined for 192.168.12.87:80 should be forwarded to 192.168.12.77:80, we'll use PREROUTING chain in the nat table.
Here's the complete command sequence to implement this port forwarding:
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -d 192.168.12.87 -j DNAT --to-destination 192.168.12.77:80
sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.12.77 --dport 80 -j SNAT --to-source 192.168.12.87
sudo iptables -A FORWARD -p tcp -d 192.168.12.77 --dport 80 -j ACCEPT
The first rule performs Destination NAT (DNAT) to redirect incoming packets. The second rule handles Source NAT (SNAT) to ensure reply packets get routed back correctly. The FORWARD rule explicitly allows this traffic through the firewall.
After applying these rules, verify with:
sudo iptables -t nat -L -n -v
You should see your DNAT and SNAT rules in the PREROUTING and POSTROUTING chains respectively.
On most Linux distributions, iptables rules don't persist after reboot. To save them:
sudo iptables-save > /etc/iptables.rules
Then create a startup script or use your distribution's method to restore these rules at boot.
While iptables is the most straightforward solution, you could also consider:
- Using nginx as a reverse proxy
- Setting up haproxy for more complex routing
- Configuring the routing at your network gateway
If the forwarding isn't working:
- Verify IP forwarding is enabled (
sysctl net.ipv4.ip_forward) - Check for conflicting firewall rules
- Use tcpdump to monitor traffic flow