Differences between SNAT and masquerade in iptables

Differences between SNAT and masquerade in iptables
In iptables, You can flexibly perform various network address translation (NAT)
There are two main types of Network Address Translation: SNAT and DNAT.
SNAT is the abbreviation of source network address translation, that is, source address target conversion.
For example, multiple PCs use the ADSL Router to share the Internet. Each pc is configured with an intranet IP address. When the PC accesses an external network, the router replaces the source IP address in the packet header with the IP address of the router, when an external network server, such as a website Web server, receives an access request, its log records the IP address of the router rather than the Intranet IP address of the PC. This is because, the "Source Address" in the header of the packet received by this server has been replaced, so it is called SNAT. It is based on Source Address conversion.
DNAT is the abbreviation of destination network address translation, that is, destination network address translation.
A typical application is to have a web server configured with an intranet IP address on the Intranet, and a firewall on the front end configured with a public IP address. visitors on the Internet use a public IP address to access this website, the client sends a packet in the packet header. The target address is written into the firewall's public IP firewall, which will rewrite the packet header once, rewrite the target address to the Intranet IP address of the web server, and then send the packet to the Web server on the intranet so that the packet passes through the firewall, the change from a public IP address to an access to an intranet address is DNAT. The target-based network address is converted to masquerade, and the address disguise has a similar effect as SNAT in iptables, but there are also some differences
However, when using SNAT, the egress IP address range can be one or multiple, for example:
Run the following command to SNAT all the packets in the 10.8.0.0 CIDR block to the IP address 192.168.5.3 and then send
Iptables-T Nat-A postrouting-s 10.8.0.0/255.255.255.0-O eth0-j snat -- to-source 192.168.5.3
Run the following command to SNAT all 10.8.0.0 packets into several IP addresses, such as 192.168.5.3/192.168.5.4/192.168.5.5, and then send
Iptables-T Nat-A postrouting-s 10.8.0.0/255.255.255.0-O eth0-j snat -- to-source 192.168.5.3-192.168.5.5
This is how to use SNAT. That is, you can use NAT as an address or multiple addresses.
However, for SNAT, whether it is a few addresses, you must explicitly specify the IP address to be SNAT
If the current system uses the dynamic dialing method of ADSL, the outbound IP address 192.168.5.3 will be changed each time and the change range is large, not necessarily the IP address from 192.168.5.3 to 192.168.5.5, at this time, if you configure iptables in the current way, the problem will occur, because the server address will change after each dial, and the IP address in the iptables rule will not change automatically, after each address change, you must manually modify iptables and change the fixed IP address in the rule to a new IP address. This is very difficult to use.
Masquerade is designed for this scenario. Its role is to automatically obtain the current IP address from the server's Nic for Nat.
For example, the following command:
Iptables-T Nat-A postrouting-s 10.8.0.0/255.255.255.0-O eth0-J Masquerade
You do not need to specify the destination IP address of the SNAT.
No matter what kind of dynamic IP address is obtained at the exit of eth0, masquerade automatically reads the current IP address of eth0 and then performs SNAT.
In this way, the dynamic SNAT address conversion is achieved.
Note:
For masquerade, the load on the computer is a little more. For each matching packet, masquerade needs to find available IP addresses, unlike the IP addresses used by SNAT. Of course, this also has the advantage that we can use addresses obtained through dialing such as PPP, pppoe, and slip. These addresses are randomly allocated by the ISP's DHCP.