Destination Network Address Translation (DNAT)
Destination Network Address Translation (DNAT) is used by an external host to initiate connection with a private network. It translates the public IP address of an external host to the private IP of an internal host. DNAT can also translate the destination port in TCP/UDP headers. The mapping can include all TCP/UDP ports or only refers to specific configured ports if port forwarding is enabled.
DNAT comes into play when an external untrusted network initiates communication with an internal secured network. It allows any host on the internet to reach a single host on the LAN.
DNAT changes the destination address in the IP header of a packet, and may also alter the destination port in TCP/UDP headers. It is commonly used to redirect incoming packets with a destination of a public address/port to a private IP address/port inside an internal network. For example, DNAT is used to allow external internet users to access a web service hosted inside a data center behind a firewall.
In essence, DNAT changes the destination address of packets passing through the router. The translation happens before the routing decision is made.