Original article address: differences between SNAT, DNAT and masquerade in iptables Author: zhengsenlin888
Differences between SNAT, DNAT and masquerade in iptables
Solution
In iptables, You can flexibly perform various network address translation (NAT)
There are two main types of Network Address Translation: SNAT and DNAT.
SNAT is the abbreviation of source network address translation, that is, source address target conversion.
For example, if multiple PCs share the Internet with the ADSL Router, each PC is configured with an intranet IP address.
When a PC accesses an external network, the router replaces the source address in the packet header with the IP address of the router.
When an external network server, such as a website Web server, receives an access request
The log records the IP address of the router, rather than the Intranet IP address of the PC.
This is because the "Source Address" in the header of the packet received by the server has been replaced
So it is called SNAT, and address Conversion Based on Source Address
DNAT is the abbreviation of destination network address translation.
That is, destination Network Address Translation
A typical application is to have a web server configured with an intranet IP address on the Intranet, and a firewall configured with a public IP address on the frontend.
Visitors on the Internet use public IP addresses to access this website.
During access, the client sends a packet
Inside the packet header, the target address is the firewall's public IP address.
The firewall will rewrite the packet header once and rewrite the target address to the Intranet IP address of the web server.
Then, send the packet to the Web server on the Intranet.
In this way, data packets penetrate the firewall and change from a public IP address to an access to an intranet address.
DNAT: destination-based Network Address Translation
Masquerade, address disguise, has a similar effect with SNAT in iptables, but there are also some differences
However, when using SNAT, the egress IP address range can be one or multiple, for example:
Run the following command to SNAT all the packets in the 10.8.0.0 CIDR block to the IP address 192.168.5.3 and then send
Iptables-T Nat-A postrouting-s 10.8.0.0/255.255.255.0-O eth0-j snat -- to-source 192.168.5.3
Run the following command to SNAT all 10.8.0.0 packets into several IP addresses, such as 192.168.5.3/192.168.5.4/192.168.5.5, and then send
Iptables-T Nat-A postrouting-s 10.8.0.0/255.255.255.0-O eth0-j snat -- to-source 192.168.5.3-192.168.5.5
This is how to use SNAT. That is, you can use NAT as an address or multiple addresses.
However, for SNAT, whether it is a few addresses, you must explicitly specify the IP address to be SNAT
If the current system uses the dynamic dialing method of ADSL, the outbound IP address 192.168.5.3 will change every dialing.
And the change is very large, not necessarily the address from 192.168.5.3 to 192.168.5.5.
In this case, if you configure iptables in the current way, the problem will occur.
Because the server address changes after each dial-up, and the IP address in the iptables rule does not change automatically
After each address change, you must manually modify iptables to change the fixed IP address in the rule to a new IP address.
This is very difficult to use.
Masquerade is designed for this scenario. Its role is to automatically obtain the current IP address from the server's Nic for Nat.
For example, the following command:
Iptables-T Nat-A postrouting-s 10.8.0.0/255.255.255.0-O eth0-J Masquerade
You do not need to specify the destination IP address of the SNAT.
No matter what kind of dynamic IP address is obtained at the exit of eth0, masquerade automatically reads the current IP address of eth0 and then performs SNAT.
In this way, the dynamic SNAT address conversion is achieved.
