User guide
Chapter 3 - Additional Features
User Guide 165
DNAT (nat table only)
This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-
defined chains which are only called from those chains. It specifies that the destination
address of the packet should be modified (and all future packets in this connection will also
be mangled), and rules should cease being examined. It takes one option:
MASQUERADE (nat table only)
This target is only valid in the nat table, in the POSTROUTING chain. It should only be used
with dynamically assigned IP (dialup) connections: if you have a static IP address, you should
use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out on, but also has the effect that connections are forgotten
when the interface goes down. This is the correct behavior when the next dialup is unlikely
to have the same interface address (and hence any established connections are lost anyway).
It takes one option:
REDIRECT (nat table only)
This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-
defined chains which are only called from those chains. It alters the destination IP address to
- -to-source <ipaddr>[-<ipaddr>][:port-port] This can specify a single new source IP
address, an inclusive range of IP addresses,
and optionally, a port range (which is only
valid if the rule also specifies -p tcp or -p
udp). If no port range is specified, then
source ports below 1024 will be mapped to
other ports below 1024: those between
1024 and 1023 inclusive will be mapped to
ports below 1024, and other ports will be
mapped to 1024 or above. Where possible,
no port alteration will occur.
- -to-ports <port>[-<port>] This specifies a range of source ports to use, overriding the
default SNAT source port-selection heuristics (see above).
This is only valid with if the rule also specifies -p tcp or
-p udp).