Snat and Masquwerade in the Iptables

NAT is the abbreviated network address translation of the translation

There are two main types of network address translation: Snat and Dnat, that is, source address translation and destination address translation

SNAT: Source Address Translation

Eg: multiple PCs using ADSL routers to share the Internet

Each PC is configured with the intranet IP, when the PC confidential access to the external network, the router will packet header source address replacement Generator IP

Explanation: When an external network server, such as a Web site Web server, receives a request for access,

His log down is the router's IP address, not the PC's intranet IP, this is because the server received the packet header inside the "source address", has been replaced so called Snat, based on the source address translation.

Dnat is the destination network address translation, which is the destination

Eg: A typical application is to have a Web server in the intranet configuration intranet IP, the front end has a firewall configuration public network IP

Visitors on the Internet use the public IP to access this website,

When accessed, the client sends out a packet

In the header of this packet, the target address is the public IP of the firewall, the firewall will overwrite the header of the packet once, the target address will be rewritten into the Web server's intranet IP,

And then send this packet to the Web server on the intranet.

In this way, the packet penetrates through the firewall and becomes an access to the intranet address from the public IP, that is, the Dnat, the destination-based network address translation

Masquerade, address camouflage, in the iptables have and snat similar effect, but there are some differences

However, when using Snat, the address range of the egress IP can be one or more, for example:

The following command indicates that all packets of 10.8.0.0 network segments are snat to 192.168.5.3 IP and sent out

Iptables-t nat-a postrouting-s 10.8.0.0/255.255.255.0-o eth0-j SNAT--to-source 192.168.5.3

The following command indicates that the packets of all 10.8.0.0 network segments are snat to 192.168.5.3/192.168.5.4/192.168.5.5, and then sent out

Iptables-t nat-a postrouting-s 10.8.0.0/255.255.255.0-o eth0-j SNAT--to-source 192.168.5.3-192.168.5.5

This is how snat is used, that is, it can be NAT into an address, or it can be NAT into multiple addresses

However, for Snat, regardless of the number of addresses, you must explicitly specify the IP to Snat

If the current system is using ADSL dynamic dialing method, then each dial, the export ip192.168.5.3 will change

And the magnitude of the change is not necessarily the address within the 192.168.5.3 to 192.168.5.5 range.

At this point, if you configure iptables in the current way, there will be a problem.

Because the server address changes after each dialing, the IP in the iptables rule does not change automatically

Each time the address changes must be manually modified once iptables, the rules inside the fixed IP to the new IP

It's very hard to use.

Masquerade is designed for this scenario, and his role is to automatically obtain the current IP address from the server's NIC for NAT

For example, the command below:

Iptables-t nat-a postrouting-s 10.8.0.0/255.255.255.0-o eth0-j Masquerade

With this configuration, you do not have to specify the target IP of Snat.

Whatever the current eth0 's exit is getting, Ip,masquerade will automatically read Eth0 's current IP address and do snat out.

This allows for a good dynamic Snat address translation

Snat and Masquwerade in the Iptables