IPTables: DNAT, SNAT and Masquerading
Just a quick question really.
What is preferred, or better to use? Masquerading? or the *NATS? I'm planning on using a static IP for a few iPTables based firewalls. I just bought a book on IPTables and am reading through it. Just trying to see what the difference is between what I listed here. I appreciate it. tarballed |
SNAT and Masquerading are virtually the same, they both change the source address as the packets depart your firewall (POSTROUTING).
Masquerading should be used where you have a dynamic connection and the IP address is likely to change (maybe on ppp0). That way masquerading just picks up the new dynamic IP and uses that to change addresses. SNAT has some connection tracking advantages where if your link goes down for a short while, it will remember the connections that are still open/active and continue on when the link returns (depending on timeouts etc..). Masq does not, it clears the state each time it comes up as a saveguard. DNAT changes the destination address of a packet before it is subject to routing (PREROUTING), and is mostly used to allow external (global) IPs into your private network by redirecting it. There are after requirements needed also (input/forward etc..). Here are some concepts.. http://www.brennan.id.au/06-Firewall_Concepts.html BU |
So in my guess, since I have a static IP, I do not need to worry about masquerading for the most part. I should work with SNAT and DNAT?
|
SNAT would be better for you than MASQUERADE, but they both work on outbound (leaving the server) packets. They replace the source IP address in the packets for their own external network device, when the packet returns, the NAT function knows who sent the packet and forwards it back to the originating workstation inside the network.
Code:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE Code:
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.24:80 WARNING.. MASQ may work in either direction if your rules are too simple "iptables -t nat -A POSTROUTING -j MASQUERADE". Always specify an (-o) out interface as a minimum guide. BU. |
All times are GMT -5. The time now is 02:59 AM. |