Port Forwarding with dynamic private address

July 28, 2016 3k views
DigitalOcean Articles Nginx Configuration Management Firewall Ubuntu 16.04 Networking


I was following this post [https://www.digitalocean.com/community/tutorials/how-to-forward-ports-through-a-linux-gateway-with-iptables](http://) to set up port forwarding.

Under Firewall network details:

In the Tutorial, Private IP Address:

For my setup, Private IP Address: DYNAMIC

The Private IP address of the firewall doesnt come anywhere untill the last command,

sudo iptables -t nat -A POSTROUTING -o eth1 -p tcp –dport 80 -d -j SNAT –to-source

How do I replace this everytime my firewall’s private ip address changes?


1 Answer


iptables does not support dynamic IP addresses/hostnames, but you can have it update the rule to the correct IP address whenever it changes.

Instead of redirecting the packets to the SNAT chain, create a new chain that sits in the middle which then redirects the rules to the SNAT chain. So, instead of POSTROUTING -> SNAT, it goes POSTROUTING -> DYNAMIC -> SNAT.

Create the new chain:

sudo iptables -t nat -N DYNAMIC

Add the rule, replacing -j SNAT [...] with -j DYNAMIC:

sudo iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -d -j DYNAMIC

Add the firewall’s IP address to the DYNAMIC chain (the rule applies to all packets in the DYNAMIC chain, because the filtering is done in the previous rule):

sudo iptables -t nat -A DYNAMIC -j SNAT --to-source

Now, test the rule and make sure it works as expected. Whenever there is a change to the firewall’s IP address, you can simply flush the DYNAMIC chain and add the rule again:

sudo iptables -t nat -F DYNAMIC
sudo iptables -t nat -A DYNAMIC -j SNAT --to-source

You can definitely automate the last two commands if you have a way of knowing what the new IP address is and when it changes. Obviously, if it’s possible to give the firewall a static IP address, that is definitely the preferred option.

Have another answer? Share your knowledge.