Rate this page

Share an IP address between servers using iptables

Tested on

Debian (Etch, Lenny, Squeeze)
Ubuntu (Hardy, Intrepid, Jaunty, Karmic, Lucid, Maverick, Natty)


To share a public IP address between two or more servers using iptables


Suppose that you have three machines, a mail server, a web server and a DNS server, but only one public IP address. You have chosen to give the public address, which is, to the DNS server. All three machines are connected via a local area network on which the DNS server is, the mail server is and the web server is


These instructions assume that:


Inbound connections to the mail server will appear on port 25 (SMTP) of the external interface of the DNS server. You must change the destination IP address of this traffic from to Similarly, traffic to port 80 (HTTP) must have its destination address changed to This must be done prior to routing, otherwise the traffic will be delivered locally instead of being forwarded.

The desired effect can be achieved by means of the DNAT target of iptables. The rules need to isolate the relevant traffic and should be placed in the PREROUTING chain of the nat table:

iptables -t nat -A PREROUTING -p tcp -d --dport 25 -j DNAT --to
iptables -t nat -A PREROUTING -p tcp -d --dport 80 -j DNAT --to

Only the first packet of a connection traverses the PREROUTING table: subsequent packets are automatically redirected. For this reason it is not necessary to provide rules for the return path.


Testing must be done from a machine on the far side of the router, which in this example is the public Internet. The most obvious methods are to use a second Internet connection or a remotely hosted server, but there are alternatives if these are not readily available:


Use tcpdump or a similar tool to answer the following questions, stopping at the first one for which the answer is no:

  1. Does the inbound connection request reach the router?
  2. Does the router forward the request on to the internal network?
  3. When the request leaves the router does it have an unchanged source address, and a destination address equal to that of the appropriate server on the internal network?
  4. Does the request reach the appropriate server?
  5. Does the server send a response?
  6. When the response leaves the server does it have a source address equal to the destination address of the request and vice versa?
  7. Does the response reach the router?
  8. Does the router forward the response on to the external network?
  9. When the response leaves the router does it have an unchanged destination address, and a source address equal to the external address of the router?

A failure at step 1, 4, 5, 6 or 7 indicates an issue that is unconnected with iptables or NAT, and which will need to be addressed before you can test further.

A failure at step 2 could indicate that:

A failure at step 3 could indicate that:

A failure at step 8 could indicate that:

Finally, a failure at step 9 could indicate that:

Further information about how to investigate these issues can be found in the troubleshooting guides for iptables and routing.



DNAT rules can be used alongside filtering rules. In this case the traffic is being forwarded, therefore the appropriate place to filter it is the FORWARD chain. This is traversed after the PREROUTING chain, therefore the filter will see the NATted IP address of the server ( or, not the external address.

For example, to block access to the mail server from a suitable rule would be:

iptables -t filter -A FORWARD -p tcp -s -d --dport 25 -j DROP

Tags: iptables | nat