Redirect Traffic to Server in LAN with Iptables Jul 7th 2018 Words: 695
This post is created 4 years ago, the content may be outdated.


I have HDDs full of hentai personal data. I am hosting the SMB/FTP/NFS service on the server with static IP, and all applications on the clients use to reach the server. It works without problem until I migrate the server temporarily under another router Now I would like to still use the IP to access all service on in order to avoid modifying a s**tload of configuration files on the clients. Using hostname rather than IP address is a better solution. However my clients are using localhost DNS and will ignore the result of the router.


On the router using the following iptables command to redirect all package whose original destination is to

iptables -t nat -I PREROUTING -d -j DNAT --to-destination

After the DNAT setting, if a client tries to send a request packet to, the following process will happen.

The client first will check the destination IP address, find this address is not in the LAN

It then sends the packets to the gateway The gateway will change the destination from to and forward the packet to the server at

But this is not enough for the transfer to work. Pinging the result in a timeout. This is the result of DNAT not changing the source of the packets.

When the server receives the request, it will send the response packets to where the request is from, in this example is

The server will notice that the destination of the response packet is on the same LAN, thus the server will not send the packet to the gateway. Instead, it will use ARP to get’s mac address and send the packet to directly. The gateway has nothing to do with this process.

The then received the server’s response, but the source of this packet is, while the client is expecting a response from the source that the request is sent to, which is the gateway request to is handled by gateway, so the response should come back from the gateway as well). The client will drop the response because it is invalid.

The SNAT can help the response packet reach its destination correctly.


Add this iptables to the router:

iptables -t nat -I POSTROUTING -s -d -m conntrack --ctstate DNAT -j SNAT --to-source

The rules in POSTROUTING chain will be executed after the PREROUTING chain, this will match all previous DNAT packet. Note the destination is after DNAT. The rule changes the source of the packet to (gateway). This also leaves a record in the router so that when the server sends the response to the router, it will be routed to

Now when the server received the request, the source of the request is, thus its response will not directly send to, instead, the packet is sent to the gateway and then forward to by the gateway.

The client will receive the response with source, this is a valid response. Now we can ping from any host in without problem.


When trying to apply SNAT to my OpenWrt router, an error occurred. According to Status > Firewall statistics, the DNAT works properly but there’s no traffic of SNAT. The bug is fixed by updating to the latest OpenWrt snapshot.