LinuxQuestions.org - IPTables: DNAT, SNAT and Masquerading

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - IPTables: DNAT, SNAT and Masquerading (https://www.linuxquestions.org/questions/linux-security-4/iptables-dnat-snat-and-masquerading-264649/)

IPTables: DNAT, SNAT and Masquerading

Just a quick question really.

What is preferred, or better to use? Masquerading? or the *NATS?

I'm planning on using a static IP for a few iPTables based firewalls.

I just bought a book on IPTables and am reading through it. Just trying to see what the difference is between what I listed here.

I appreciate it.

tarballed

SNAT and Masquerading are virtually the same, they both change the source address as the packets depart your firewall (POSTROUTING).

Masquerading should be used where you have a dynamic connection and the IP address is likely to change (maybe on ppp0). That way masquerading just picks up the new dynamic IP and uses that to change addresses.

SNAT has some connection tracking advantages where if your link goes down for a short while, it will remember the connections that are still open/active and continue on when the link returns (depending on timeouts etc..). Masq does not, it clears the state each time it comes up as a saveguard.

DNAT changes the destination address of a packet before it is subject to routing (PREROUTING), and is mostly used to allow external (global) IPs into your private network by redirecting it. There are after requirements needed also (input/forward etc..).

Here are some concepts.. http://www.brennan.id.au/06-Firewall_Concepts.html

BU

So in my guess, since I have a static IP, I do not need to worry about masquerading for the most part. I should work with SNAT and DNAT?

SNAT would be better for you than MASQUERADE, but they both work on outbound (leaving the server) packets. They replace the source IP address in the packets for their own external network device, when the packet returns, the NAT function knows who sent the packet and forwards it back to the originating workstation inside the network.

Code:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

      (same as)

iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source <SERVER'S_EXTERNAL_IP>

DNAT works on packets coming into the server. Here the webserver is located inside the firewall on a bastion host (192.168.1.24). We're letting people in through the external packet filter to the internal web server, and they don't even know it's happening. Infact we could even change the operating port in the bastion web server and just adjust the rule, they still wouldn't know.

Code:

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.24:80

DNAT and SNAT do different functions, sometimes people get confused and think if they write a SNAT they need to write DNAT as well - not true. Pick which rules you need for the task.

WARNING.. MASQ may work in either direction if your rules are too simple "iptables -t nat -A POSTROUTING -j MASQUERADE". Always specify an (-o) out interface as a minimum guide.

BU.