Joe Wein
Fighting spam and scams
on the Internet

Home / Blog / About us
Online fraud

Email Spam Filter:
Try it for free!


How to configure "full cone" NAT using iptables

Problem: A Linux-based machine with two network interfaces can be used as a router. In order to support peer to peer application it's desirable to support "full cone" Network Address Translation. Most Linux-based routers operate as "port restricted NAT", which is less flexible.

With full code NAT, once the router has sent a packet from an external IP address / port combintion, incoming packets addressed to that address and port from any source address and port will be forwarded to the local source of the initial packet. It is defined by RFC3489 as follows:

Full Cone: A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address.

On the netfilter mailinglist, Pedro Gonçalves suggested the following: Using iptables, I set all policies to "ACCEPT" and I was able to setup two kinds of NAT:
( is my "public" address and is my "private" address

/-"Full Cone NAT", with the following rules:/
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination

/-"Port Restricted Cone NAT", with just a single rule:/
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source

Further reading: Forum thread
Setup of different types of NAT