Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Iīd like some help regarding this issue. I have a book that doesnt cover anything related to MASQUERADE. It only covers DNAT and SNAT. At the office the system admin uses MASQUERADE and Iīd like to know what is the difference. In wich cases should I use MASQUERADE, and in wich cases should I use DNAT/SNAT.
MASQUERADE is usually used for dynamic IPs, while SNAT is used for static ips (with SNAT you specify the IP you're natting FROM). DNAT is more used for port forwarding. Check out this page: http://www.baraka.ca/barbwire_tables.asp
Oops, sorry. Like I said, never used it before. My ISP gives me DHCP, so I'm forced to use MASQUERADE. Though I honestly wonder if SNAT has many advantages, if any?
The main difference I can think of is that when the link goes down the nat table is deleted when using MASQUERADE since chances are that the IP will change once the link comes back up. This is not true for SNAT. Here the NAT table stays even when the link goes down so that when it comes back up the connection can continues without a new handshake (provided it didn't time out on either side). Also SNAT performs a little better since it doesn't need to figure out the IP that belongs to the interface the NATing is done for. (This, however, doesn't really have any noticable effect now that most routers have an abundance of cpu cycles to burn.)
Are these rules Ok? And second: Would the security of my network be compromised in any way? (Thinking right, security has nothing to do with nat. Security is about the filter table isnīt it? But Iīd like to read that it doesnīt from someone more experienced.)
I use DHCP too but knowing a bit more wouldnīt hurt anyone. Plus! On a big network, that uses a static valid IP, probably that line using the SNAT rule would bring, if not much, probably a little more productivity to that network wouldnīt it?
With realistically modern routing equipment (read: old p2 pcs) you can pretty much NAT most connections with no problem.
NAT is generally considered GOOD for security because it makes it impossible for the outside world to connect to the NATted computers without your permission. For example, to run a server behind NAT, you need to enable portforwarding and forward the proper port in.
Of course, the filter table is also important in locking it down more.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.