NAT Rule Generator

Generate Network Address Translation rules for Linux iptables, nftables, and Cisco IOS. Select your NAT type (SNAT, DNAT, Masquerade, or Static), enter your network parameters, and get ready-to-use configuration commands for your firewall or router.

NAT Type

Source Network (internal) External (public) IP Protocol WAN Interface

What Is NAT?

Network Address Translation (NAT) modifies IP address information in packet headers as they pass through a router or firewall. NAT is the technology that allows your entire home or office network to share a single public IP address. Every router performs NAT — it's what makes the modern internet work with the limited IPv4 address space.

For a complete explanation of how NAT works, read our What Is NAT? guide. To understand how NAT types affect gaming, see NAT Type Explained.

Types of NAT

NAT Type	Direction	Use Case	Linux Target
SNAT	Outbound	Internal network accessing internet with fixed public IP	SNAT
DNAT	Inbound	Port forwarding, load balancing, server publishing	DNAT
Masquerade	Outbound	Dynamic public IP (home routers, DHCP WAN)	MASQUERADE
Static NAT	Both	1:1 mapping for servers needing full public access	SNAT + DNAT
PAT/NAPT	Outbound	Many-to-one using port numbers (most home routers)	MASQUERADE

SNAT vs DNAT vs Masquerade

Understanding when to use each NAT type prevents configuration errors:

Feature	SNAT	DNAT	Masquerade
Changes	Source IP	Destination IP	Source IP (dynamic)
Fixed IP required	Yes	Yes (external)	No
Performance	Better (cached)	Standard	Slightly slower
Chain	POSTROUTING	PREROUTING	POSTROUTING
Home router equivalent	—	Port forwarding	Default NAT

DNAT is what home routers call "port forwarding." Use our Port Forwarding Rule Generator for router-specific configs, or our Port Checker to verify rules are working.

Pro Tip: Use SNAT when your WAN interface has a static IP — it's more efficient because the kernel caches the translation. Use Masquerade when your WAN IP is dynamic (DHCP, PPPoE) since it looks up the interface IP for each packet. Most home routers use Masquerade by default. Check your setup at 192.168.1.1.

Note: NAT rules must be combined with proper firewall (FORWARD chain) rules. A NAT rule alone doesn't allow traffic — the FORWARD chain must also permit the translated packets. The generator above includes both the NAT and firewall rules needed for a complete configuration. For additional network planning, use our Subnet Calculator.

NAT and Network Security

NAT provides a degree of security by hiding internal addresses, but it's not a firewall substitute:

NAT hides internal topology — External hosts can't directly address internal devices.
Stateful tracking — Only responses to established connections pass through (connection tracking).
Not encryption — NAT doesn't encrypt traffic. Use VPN for true security.
Double NAT — Two layers of NAT can cause connectivity issues for gaming and VoIP.
Port forwarding weakens NAT — Each forwarded port is an opening. Use port forwarding sparingly.

For gaming NAT issues, check your NAT type. Monitor your network for unusual connections with traffic monitoring.

Common NAT Scenarios

# Scenario 1: Home network (Masquerade)
# Internal: 192.168.1.0/24, WAN: dynamic (DHCP from ISP)
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

# Scenario 2: Office with static IP (SNAT)
# Internal: 10.0.0.0/8, WAN: 203.0.113.5 (static)
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j SNAT --to-source 203.0.113.5

# Scenario 3: Web server port forward (DNAT)
# Forward port 443 to internal web server 192.168.1.50
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.1.50:443

# Scenario 4: Redirect HTTP to proxy (REDIRECT)
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

Troubleshooting NAT Rules

Verify IP forwarding is enabled: cat /proc/sys/net/ipv4/ip_forward should return 1.
Check NAT table: iptables -t nat -L -n -v shows all NAT rules and hit counters.
Test connectivity with our Ping Test and Port Checker.
Check FORWARD chain — NAT alone doesn't permit traffic; FORWARD rules must allow it.
Monitor connections: conntrack -L shows the NAT connection tracking table.
Verify DNS — Use our DNS Lookup to ensure DNS works through NAT.

Key Takeaways

SNAT changes source IP (outbound); DNAT changes destination IP (inbound/port forward).
Use SNAT for static WAN IPs and Masquerade for dynamic (DHCP) WAN IPs.
NAT rules require matching FORWARD chain rules to actually permit traffic.
Enable IP forwarding (sysctl) before NAT rules will work on Linux.
Double NAT causes issues — avoid running two routers doing NAT in series.
Use our Port Checker to verify DNAT/port forwarding rules are working.

Video: NAT Explained

Related Tools & Guides

Frequently Asked Questions

What is the difference between SNAT and Masquerade?

SNAT uses a fixed public IP address and is more efficient (the kernel caches the address). Masquerade dynamically looks up the outbound interface's IP for each connection, making it suitable for dynamic IPs. Use SNAT for static IPs and Masquerade for DHCP/PPPoE WAN connections.

Does NAT provide security?

NAT provides basic security by hiding internal addresses and blocking unsolicited inbound connections. However, it's not a substitute for a proper firewall with explicit deny rules. Combine NAT with stateful firewall rules for comprehensive security.

What is double NAT and why is it a problem?

Double NAT occurs when two devices (e.g., ISP modem + your router) both perform NAT. This can break port forwarding, VPN connections, VoIP, and gaming. Fix by bridging the ISP modem or using DMZ. See our double NAT guide.

How do I make NAT rules persistent after reboot?

On Debian/Ubuntu, install iptables-persistent and run netfilter-persistent save. On CentOS/RHEL, use service iptables save. For nftables, rules in /etc/nftables.conf are loaded at boot automatically.

Can NAT handle thousands of connections?

Yes. Modern Linux kernels can handle millions of NAT connections. The connection tracking table (conntrack) typically defaults to 65,536 entries but can be increased. Monitor with conntrack -C and increase with sysctl -w net.netfilter.nf_conntrack_max=262144.

What is PAT (Port Address Translation)?

PAT (also called NAPT) is the most common form of NAT, used by virtually every home router. It translates multiple internal IPs to a single external IP by mapping each connection to a unique source port number. This is what allows hundreds of devices to share one public IP address.

How does NAT affect VoIP and gaming?

NAT can block incoming connections needed for peer-to-peer voice and game traffic. This manifests as Strict NAT type in games or one-way audio in VoIP. Solutions include UPnP, port forwarding, and STUN/TURN servers for VoIP.

About Tommy N.

Tommy is the founder of RouterHax and a network engineer with 10+ years of experience in home and enterprise networking. He specializes in router configuration, WiFi optimization, and network security. When not writing guides, he's testing the latest mesh WiFi systems and helping readers troubleshoot their home networks.