Here, we have told iptables to edit the nat table (-t nat) by appending a rule to the POSTROUTING chain. We have stated that any traffic from the 192.168.1.0/24 network (-s) and destined to leave the firewall through eth1 (-o) should be source address NAT'd to 18.104.22.168.
In the example, note that we have tried to be as descriptive as possible concerning what traffic should be subject to the SNAT, detailing the source IP address (specifying the network address with netmask) and the network adaptor that the traffic will leave on.
You know that the traffic you need to be SNAT'd will leave the eth1 interface because you want to SNAT only traffic that is heading out to the Internet. This can be through the eth1 interface only.
Any traffic that is sent back to the machines behind the firewall (for example, during the three-way handshake) will be translated back by the firewall (it remembers connection states) and the destination address will automatically be set to the address of the machine on the private network that initiated the connection.
Was this article helpful?