Definitions of SNAT, DNAT, and masquerade in iptables

In iptables, You can flexibly perform various network address translation (NAT). There are two main types of Network Address Translation: SNAT and DNAT.

SNATIs the abbreviation of source networkaddress translation, that is, source address target conversion. For example, multiple PCs share the Internet with the ADSL Router. Each pc is configured with an intranet IP address. When the PC accesses an external network, the router replaces the source IP address in the packet header with the IP address of the router, when an external network server, such as a website Web server, receives an access request, its log records the IP address of the router rather than the Intranet IP address of the PC. This is because, the "Source Address" in the header of the packet received by this server has been replaced, so it is called SNAT. It is based on Source Address conversion.

DNATIt is the abbreviation of destination networkaddress translation, that is, destination network address translation. A typical application is to have a web server configured with an intranet IP address on the Intranet, and a firewall configured with a public IP address on the frontend, A visitor on the Internet uses a public IP address to access the website. When the visitor accesses the website, the client sends a packet. The destination address in the packet header is the public IP address of the firewall, the firewall will rewrite the packet header once, rewrite the target address to the Intranet IP address of the web server, and then send the packet to the Intranet web server, data Packets penetrate the firewall and change from a public IP address to an intranet address, that is, DNAT.

MasqueradeAddress disguise is a special case in SNAT, which can realize automatic SNAT.

Iptables has similar effects as SNAT, but there are some differences. However, when using SNAT, the IP address range for egress can be one or multiple, for example:

Run the following command to SNAT all the packets in the 10.8.0.0 CIDR block to the IP address 192.168.5.3 and then send the packets,

Iptables-T Nat-A postrouting-s 10.8.0.0/255.255.255.0-O eth0-j snat -- to-source192.168.5.3

Run the following command to SNAT all 10.8.0.0 packets into several IP addresses, such as 192.168.5.3/192.168.5.4/192.168.5.5, and then send

Iptables-T Nat-A postrouting-s 10.8.0.0/255.255.255.0-O eth0-j snat -- to-source192.168.5.3-192.168.5.5

This is how to use SNAT, that is, you can use NAT as an address or multiple addresses. However, for SNAT, whether it is a few addresses, you must specify the IP address to be SNAT, if the current system uses the dynamic dialing method of ADSL, the outbound IP address 192.168.5.3 will be changed each time and the change range is large, not necessarily the IP address from 192.168.5.3 to 192.168.5.5, at this time, if you configure iptables in the current way, the problem will occur, because the server address will change after each dial, and the IP address in the iptables rule will not change automatically, after each address change, you must manually modify iptables and change the fixed IP address in the rule to a new IP address. This is very difficult to use.

Masquerade is designed for this scenario. Its role is to automatically obtain the current IP address from the server's Nic for Nat.

For example, the following command:

Iptables-T Nat-A postrouting-s 10.8.0.0/255.255.255.0-O eth0-J Masquerade

In this configuration, you do not need to specify the target snat ip. No matter what kind of dynamic IP address is obtained at the exit of eth0, masquerade automatically reads the current IP address of eth0 and then performs SNAT, in this way, the dynamic SNAT address conversion is achieved.