On my Linux machine I have two NICs with the following IPs on eth0 and eth1 respectively.

EXTIP=xxx.xxx.xxx.1 (External PUBLIC IP on eth0)
INTGW= (Gateway for Internal Network on eth1)

INTIP= (Internal Server)

Normally, if any one wants to access my server which is running in DMZ (With a private IP) then, we will write a DNAT rules in iptables like

iptables -p tcp -t nat -A PREROUTING -i eth0-s aaa.bbb.ccc.ddd -j DNAT --to-destination


iptables -p tcp -t nat -A PREROUTING -i eth1 -s aaa.bbb.ccc.ddd -d xxx.xxx.xxx.1 -j DNAT --to-destination

Both the above rules are working fine for me.
For ex: If a client from the ip aaa.bbb.ccc.ddd tries to connect to port 22 on the IP xxx.xxx.xxx.1 then, it will be DNATed to and as I mentioned above this is working fine for me.

But, xxx.xxx.xxx.1 is my firewall's (Primary) IP which we donít want to disclose to anybody as security concern. Instead, we want to give another IP (Ex: xxx.xxx.xxx.2) to access my internal server ( to our client.

One solution, which I have for this is, assigning xxx.xxx.xxx.2 as an alias IP to my external NIC and my iptables rule should be either

iptables -p tcp -t nat -A PREROUTING -i eth1 -s aaa.bbb.ccc.ddd -j DNAT --to-destination
iptables -p tcp -t nat -A PREROUTING -i eth1 -s aaa.bbb.ccc.ddd -d xxx.xxx.xxx.2 -j DNAT --to-destination

With this, without changing any other settings client can able to access my internal server ( from his IP (aaa.bbb.ccc.ddd) i.e. client will do ssh to xxx.xxx.xxx.2 and because of our DNAT rule he will be DNATed to automatically.

Here, creating an alias IP is not at all a secure way as both the IPs (xxx.xxx.xxx.1 and xxx.xxx.xxx.2) are open to internet. So, without IP aliasing, How to DNAT a packet which is coming for xxx.xxx.xxx.2 to my internal IP.

In simple way, with out IP aliasing How to DNAT (one to one only) on other public IP which is not assigned on my firewall box. I believe, in iptables, for DNAT rule, we donít require writing a separate SNAT rule again.