The most surprising thing about NAT masquerading is that it doesn’t actually translate IP addresses for packets; it rewrites the source IP address of packets leaving your network to be the IP address of your gateway.
Let’s see it in action. Imagine you have a home network with a router (let’s say its internal IP is 192.168.1.1 and its public IP is 203.0.113.10) and a client machine (192.168.1.100). When 192.168.1.100 tries to reach a website on the internet, the packet looks like this on the internal network:
[IP: 192.168.1.100 -> 203.0.113.50, TCP: 12345 -> 80]
The router receives this packet on its internal interface. If it were just forwarding, it would send it out with the source IP of 192.168.1.100. But the internet doesn’t know how to route to 192.168.1.100. This is where iptables MASQUERADE comes in.
On the router, you’d have a rule like this:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Let’s break that down:
-t nat: We’re operating on the NAT table, which handles address translation.-A POSTROUTING: This rule applies to packets after they’ve been routed to their destination interface but before they leave the system. This is crucial for outgoing traffic.-o eth0: This specifies that the rule applies to packets leaving the router via theeth0interface (assumingeth0is your public-facing network interface).-j MASQUERADE: This is the target.MASQUERADEis a special form ofSNAT(Source Network Address Translation). It tellsiptablesto rewrite the source IP address of the packet to be the IP address of the outgoing interface (eth0).
So, when the packet from 192.168.1.100 hits the router and this rule, iptables transforms it into:
[IP: 203.0.113.10 -> 203.0.113.50, TCP: 12345 -> 80]
The router also keeps a table of these translations. When the reply comes back from 203.0.113.50 to 203.0.113.10, the router looks up its translation table, sees that this connection originated from 192.168.1.100, and rewrites the destination IP to 192.168.1.100 before forwarding it on the internal network.
This is how multiple devices on a private network can share a single public IP address. The router acts as the single point of contact with the internet, translating the private IPs to its own public IP for outgoing traffic and back again for incoming traffic.
To enable IP forwarding, which is a prerequisite for NAT to work, you need to edit /etc/sysctl.conf and uncomment or add the following line:
net.ipv4.ip_forward = 1
Then, apply the change with:
sudo sysctl -p
If you want to be more specific and only masquerade traffic from a particular internal network (e.g., 192.168.1.0/24) going out a specific interface (eth0), you can refine the rule:
sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
This ensures that only traffic originating from your private subnet is masqueraded, preventing unintended translation of other traffic that might be passing through your router.
A common pitfall is forgetting to make the iptables rules persistent across reboots. You’ll typically use iptables-persistent on Debian/Ubuntu systems:
sudo apt-get install iptables-persistent
sudo netfilter-persistent save
Or iptables-services on RHEL/CentOS:
sudo yum install iptables-services
sudo systemctl enable iptables
sudo service iptables save
Without persistence, your masquerading will disappear after every reboot.
The core concept is that MASQUERADE is dynamic; it automatically uses the IP address of the egress interface. This is perfect for dynamic IP addresses (like those from a DHCP client on your ISP’s connection). If your public IP were static, you’d typically use SNAT and explicitly specify the public IP:
sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 203.0.113.10
The subtle difference is that SNAT requires you to know and specify the IP, while MASQUERADE figures it out on the fly, making it more flexible for DHCP-assigned public IPs.
The next problem you’ll likely encounter is allowing specific incoming connections, as MASQUERADE only handles outgoing traffic and the return path for established connections.