How to configure Full Cone NAT with Iptables



Hi Experts;

I want to find the right iptables commands combination to address the following need:

- NEs are NATed thru the linux box (using iptables) towards the WAN cloud, where the NTP servers are situated.
- In order to achieve redundancy, the NTP Servers are in a load balancing cluster with one virtual IP address (
- The problem is that when the NEs request for NTP updates using the, the NTP response is received from one of the actual IP addresses (.200, .230 .240).


The iptables is not allowing this flow, which is normal since the requested vs responding address are not the same ( vs :

Request : UDP ---> (this is Before NAT, of course after NAT the source is
Response: UDP ---> (Response to the WAN address)

I'm wondering if there is any way to let iptables establish the UDP flow only based on the (s-port/d-port) regardless of the IP addresses, and execute the NAT back to

the LAN based on that.

UDP/NTP is just an example, almost all the needed services are setup in the same way (load balancing in Cluster).

View attachment 69

Appreciate your help !

Thanks & Regards


  • fullconenat.jpg
    16.7 KB · Views: 1,833

I might suggest using ipvsadm/keepalived (in masq mode) for the load balancing instead. They are especially tailored for HTTP load balancing, but are flexible enough to load balance most any type of service. In this way, you'll get the responses back from the vip and not the real backend ip, and you can have (more flexible) health checking for bringing backend servers in and out of the pool.