Source NAT changes the source address in IP header of a packet. It may also change the source port in the TCP/UDP headers. The typical usage is to change the a private (rfc1918) address/port into a public address/port for packets leaving your network. Available only in the POSTROUTING chain in iptables.
iptables -t nat -A POSTROUTING -i eth1 -j SNAT --to-source 188.8.131.52[:port]
Host A (10.0.0.2) -------> Router (10.0.0.1 / 184.108.40.206 ) -> Host B (220.127.116.11) Source IP: 10.0.0.2 Source IP: 18.104.22.168 Dest IP: 22.214.171.124 Dest IP: 126.96.36.199
Destination NAT changes the destination address in IP header of a packet. It may also change the destination port in the TCP/UDP headers. The typical usage of this is to redirect incoming packets with a destination of a public address/port to a private IP address/port inside your network.
iptables -t nat -A POSTROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to-destination 10.0.0.2:22
Host B (188.8.131.52) ----> Router (184.108.40.206 / 10.0.0.1) -> Host A (10.0.0.2) Source IP: 220.127.116.11 Source IP: 18.104.22.168 Dest IP: 22.214.171.124 Dest IP: 10.0.0.2 Dest Port: 22 Dest Port: 2222
Masquerading is a special form of Source NAT where the source address is unknown at the time the rule is added to the tables in the kernel. If you want to allow hosts with private address behind your firewall to access the Internet and the external address is variable (DHCP) this is what you need to use. Masquerading will modify the source IP address and port of the packet to be the primary IP address assigned to the outgoing interface.
Note: If your outgoing interface has a address that is static, then you should use Source NAT (SNAT), which will be a little faster because it does not need to determine the external IP of your forwarding interface every time.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
REDIRECT, like DNAT, alters the destination IP address and port, but is only meant for local traffic -- packets won't be forwarded externally. In other words, locally generated packets are mapped to the 127.0.0.1 address (and a port of choice). If you only want to redirect the traffic between services on the local machine, it will be a good choice.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j REDIRECT --to-port 22
Host B (126.96.36.199) ----> Host A (188.8.131.52) Source IP: 184.108.40.206 Source IP: 220.127.116.11 Dest IP: 18.104.22.168 Dest IP: 127.0.0.1 Dest Port: 2222 Dest Port: 22