The difference between Snat and masquerade in Iptables

Http://soft.zdnet.com.cn/techupdate/2008/0317/772069.shtml

The difference between Snat and masquerade in Iptables
Update Time: 2008-03-17 15:28:10
key words: Dnat PC Server Snat iptables operating system firewall

problem

The difference between Snat and masquerade in Iptables

Solution

Iptables can be flexible to do a variety of network address translation (NAT)

There are two main types of network address translation: Snat and Dnat

Snat is the abbreviation for source network address translation

Source Address target Conversion

For example, multiple PCs use ADSL router to share the Internet

Each PC is configured with intranet IP

When a PC accesses an external network, the router replaces the source address in the packet's header with the IP of the router

When a server for an external network, such as a Web server, receives a request for access

His log records the IP address of the router, not the intranet IP of the PC.

This is because, the server received the packet header inside the "source address", has been replaced

So called Snat, address translation based on the source address

Dnat is the abbreviation of destination network address translation

Target Network Address Translation

A typical application is that there is a Web server in the intranet configuration intranet IP, the front-end has a firewall configured public network IP

Visitors on the Internet use public IP to access this site

When accessed, the client issues a packet

In the header of this packet, the target address is the public network IP of the firewall.

The firewall overwrites the header of this packet once, overwriting the target address into the intranet IP of the Web server

And then send this packet to a Web server on the intranet.

In this way, the packet penetrates the firewall and becomes the access to an intranet address from the public network IP.

Dnat, target-based network address translation

Masquerade, address camouflage, in the iptables and Snat similar effect, but there are some differences

However, when using Snat, the address range of an export IP can be one or more than one, for example:

The following command indicates that all 10.8.0.0 network segment packets are snat into 192.168.5.3 IP and sent out

Iptables-t nat-a postrouting-s 10.8.0.0/255.255.255.0-o eth0-j SNAT--to-source 192.168.5.3

The following command means that all 10.8.0.0 network segments of the packet Snat into 192.168.5.3/192.168.5.4/192.168.5.5 and so on a number of IP and then sent out

Iptables-t nat-a postrouting-s 10.8.0.0/255.255.255.0-o eth0-j SNAT--to-source 192.168.5.3-192.168.5.5

This is how snat is used, that is, Nat can be an address, or NAT can be multiple addresses.

However, for Snat, whether it is a few addresses, you must explicitly specify the IP to Snat

If the current system is using ADSL dynamic dialing method, then each dialing, export ip192.168.5.3 will change

And the magnitude of the change is not necessarily the address of the 192.168.5.3 to the 192.168.5.5 range.

This time, if you configure iptables in the way you do now, there will be problems.

Because after each dialing, the server address will change, and the IP within the Iptables rule will not change with the automatic

After each address changes must manually modify the Iptables, the rules inside the fixed IP to the new IP

It's very hard to use.

Masquerade is designed for this scenario, his role is, from the server's network card, automatically obtain the current IP address to do NAT

For example, the following command:

Iptables-t nat-a postrouting-s 10.8.0.0/255.255.255.0-o eth0-j Masquerade

If you configure this, you do not need to specify a snat destination IP.

No matter what kind of dynamic the eth0 exit now gets, Ip,masquerade automatically reads Eth0 's current IP address and snat out.

This enables a very good dynamic Snat address translation