Mandatory lines for NAT instance

Your /etc/sysconfig/iptables should have following lines:

-A POSTROUTING -s PRIVATE_IP_RANGE/16 -o eth0 -j MASQUERADE

Logging connections that use forwarding

If you are forwarding TCP connections from NAT instance to some instance that doesn’t have public IP, you can easily add logging into iptables. Log entries will appear in /var/log/messages.

Config in /etc/sysconfig/iptables:

-A PREROUTING -m state --state NEW -d IP_AT_NAT/32 -p tcp -m tcp --dport 443 -j LOG
--log-prefix " [>] New 443 Forward"
-A PREROUTING -d IP_AT_NAT/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination IP_AT_DESTINATION:443

Lines in /var/log/messages:

TIMESTAMP HOSTNAME kernel: [...]  [>] New 443 ForwardIN=eth0 OUT= MAC=MAC_ADDRESS SRC=PUBLIC_IP DST=IP_AT_NAT LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=8304 DF PROTO=TCP SPT=38660 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0