Use iptables to Implement Packet Filtering and Configure Network Address Translation (NAT)

This article describes how to use iptables to implement packet filtering and configure Network Address Translation (NAT), with specific reference to the information needed for the RHCE EX300 certification exam.

Remember, the exams are hands-on, so it doesn’t matter which method you use to achieve the result, so long as the end product is correct.

Related articles.


To test this requirement we need two servers (rhce1 and rhce2). The first server has two ethernet adapters. One allows connections to the internet, while the other is part of a private network. The second server has a single ethernet adapter on the private network. The aim is to allow rhce2 to connect to the internet via rhce1.

Make sure
rhce1.localdomain : eth0 - Connects to the internet.
                    eth1 - Private network.

rhce2.localdomain : eth0 - Private network.


Edit the “/etc/sysctl.conf” file on rhce1, amending the “net.ipv4.ip_forward” entry as follows.

net.ipv4.ip_forward = 1

Run the following command to make the change take effect.

# /sbin/sysctl -p

Make sure the gateway on rhce2 is set to the private network address of rhce1 and that rhce2 can resolve names.

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         UG    0      0        0 eth0     *        U     1      0        0 eth0

# nslookup

Non-authoritative answer:


Configure the firewall on rhce1 to allow forwarding of packets between the networks and allow NAT to access the adapter with external access.

# iptables -I FORWARD -i eth1 -o eth0 -j ACCEPT
# iptables -I FORWARD -i eth0 -o eth1 -j ACCEPT

# iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

# service iptables save

The rhce2 machine should now have access to the internet via the rhce1 box.

For more information see:

Back to the Top.