I am new to iptables and I want to understand how iptables nat is working. I have a linux machine with a lxc container. The machine network configuration is as follows: eth0 interface which connects the machine to the internet (it's IPv4 address is and a veth-1 interface ( for lxc container. On the lxc container there is a eth0 interface ( connected to the veth-1.

On the linux machine I have added two iptables rules:

1) iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
2) iptables -t nat -A PREROUTING -d -j DNAT --to-destination

If I do a ping from the lxc container everything is working (the source IP gets translated to when leaving the linux machine). But the second rule is never matched by the ping echo replies. I have watched the incoming packets on eth0 ( using tcpdump and the output is as follows:

23:34:33.151565 IP google-public-dns-a.google.com > host.local: ICMP echo reply, id 536, seq 174, length 64

Therefore, packets with destination arrive on eth0 interface.

I have three questions:

1) Why is the nat prerouting rule never matched?

2) How does iptables know how to modify replies such that to forward them to

3) Can the SNAT target modify the source port (without explicitly telling to translate to a specific port(s))?


Iptables is using a NAT table, and the conntrack machine. This way, if your container initiate the connection, it will match the SNAT rule, write in the NAT table, and fill the conntrack one.

When a reply is coming, conntrack knows (with source and destination ip and port, and TCP sequence if the connection is TCP) that the packet belongs to the connection, and will address it to the right NAT correspondance.

Per connection, only the first packet will match a NAT rule, then every other will just follow the same path (or reverse path).

If a new connection is coming from the outside to your container, it will match the DNAT rule instead.

SNAT can't modify the source port.

1) Why is the nat prerouting rule never matched?

iptables NAT works on "connections"*, only the first packet of each "connection" goes through the user-controlled nat tables.

2) How does iptables know how to modify replies such that to forward them to

When the first packet of a "connection" passes through the NAT it establishes an entry in an internal connection tracking table. This is used to translate later packets of the connection.

3) Can the SNAT target modify the source port (without explicitly telling to translate to a specific port(s))?

Yes it can, but by default it will only do so if it is nessacery to avoid ambiguity.

* "connection" here refers to a set of criteria that can be used to match requests to their corresponding responses. e.g. the source ip/source port/destination ip/destination port tuple for TCP/UDP or the source ip/type/id/code/destination ip for ICMP queries.


Take a read for TCP and connection tracking I guess: http://www.iptables.info/en/connection-state.html

SNAT can only modify source IP address so far I know.

