| The iptable_nat.o module implements the unidirectional NAPT variant described in Section 21.1.6. Like the Twice NAT variant, it can change the source and destination addresses of a session flow simultaneously. To intercept and process packets, NAT uses the infrastructure supplied by the netfilter architecture. (See Section 19.3.1.) Figure 21-2 shows that it hooks itself into the netfilter hooks NF_IP_PRE_ROUTING, NF_IP_POST_ROUTING, and NF_IP_LOCAL_OUT for this purpose. The NAT module is invoked as soon as a packet traverses the appropriate hook, and a pointer to the sk_buff structure is passed, together with the packet. For configuration purposes, it is important that the source address be translated at the NF_IP_POST_ROUTING hook while the destination address is being translated in one of the other two hooks. Figure 21-2. Netfilter hooks used by the NAT module. 
The first, preliminary versions of the new netfilter architecture allowed you to configure NAT by using an independent tool called ipnatctl. More recently, this functionality was fully integrated in the iptables tool. iptables can be used to specify rules that control the behavior of the NAT module. As was described in Section 19.2.1, a rule consists of a set of criteria to select session flows (matching rule) and a second part specifying how a session flow should be transformed (binding type or mapping type). Criteria identical to packet-filter rules are available to select session flows: the IP source and destination addresses, the transport protocol, the port numbers, and the protocol-specific flags. The second part of a NAT rule defines how a session flow should be transformed. To this end, there are additional branch destinations, which are valid in the nat table only. We can use -j SNAT to activate the translation of the source address (source NAT) and -j DNAT to translate the destination address (destination NAT). In addition, we have to use --to-source or --to-destination to specify a range of IP addresses and port numbers, if present, for the address-translation process. The selection criteria of the source NAT rule are applied to the original packet-address information in the event that both a source NAT and a destination NAT rule apply to the packet, though the destination address has already been changed by the destination NAT at that point. There are additional branch destinations (e.g., -j MAS-QUERADE for masquerading in the Linux 2.2 style) for special cases. In the example discussed in Section 21.1.6, where source NAT is used to map the internal addresses from the private address range 192.168.1.0?92.168.1.255 to the global address 199.10.42.1, the corresponding iptables invocation would have the following form: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 \ -j SNAT --to-source 199.10.42.1
| 