All HowTo's Redhat, Fedora and CentOS Linux

One to One NAT. A “Checklist”

There’s a million things you need to do to get one-to-one NAT working. This is my checklist – a list that’s saved my bacon many-a-time.

Let’s suppose the situation is that you have a single host with multiple virtual machine running in it. The host has a network connection to the WAN. There are three VM guests each with an IP address of “”, “” and “”. Your ISP has given you three pubic IP addresses for your VM guests of “”, “” and “”. You have another public IP address for your host of “”.

So here’s the check-list:

  • Host-to-Guest connectivity: Make sure the host knows how to get to each VM guest. This is likely already done when you built your VMs. If you can “ping” your guests from your host, you’re in good shape.
  • IP Forwarding: Make sure the kernel knows that it can forward IP packets between two network. This is done by putting a “1” in the “/proc/sys/net/ipv4/ip_forward” file.
  • Firewall / IPtables: Make sure IPTables knows that it can forward packets between the WAN and the guests. You can “drop” and “accept” specific ports or permit “all” data for specific VM guests. That’s up to you. I suggest that you use the host’s IPTables as a firewall and block what you don’t want passing through to the guests.
  • Don’t assign public IP addresses to the gusts: Make sure the VM guests only have private IP addresses configured and “not” public IP addresses. They should be using the “192.168.122.x” range.
  • Assigning all public IP addresses to the host: Make sure the host has public IP addresses for each VM guests. This is an ARP thing. The host is what’s listening on the WAN interface and therefore it should have sub-interfaces – one for each public IP address. Eg: eth0:1=, eth0:2= and eth0:3=
  • The actual NAT: Make sure IPTables knows to “postrouting” and “prerouting” for each VM guest. See the example below.

Here’s an example IPTables file on a Redhat server. I’ve kept it simple and recommend you use this as a basis for a more complete setup.


# Guest 1
-A POSTROUTING -o em1 -s -j SNAT --to-source
-A PREROUTING -i em1 -d -j DNAT --to-destination

# Guest 2
-A POSTROUTING -o em1 -s -j SNAT --to-source
-A PREROUTING -i em1 -d -j DNAT --to-destination

# Guest 3
-A POSTROUTING -o em1 -s -j SNAT --to-source
-A PREROUTING -i em1 -d -j DNAT --to-destination


-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited


Leave a Reply

Your email address will not be published. Required fields are marked *