LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 12-09-2004, 07:39 PM   #1
tarballed
Member
 
Registered: Jun 2002
Distribution: RH, FC, FreeBSD,OpenBSD
Posts: 326

Rep: Reputation: 30
IPTables: DNAT, SNAT and Masquerading


Just a quick question really.

What is preferred, or better to use? Masquerading? or the *NATS?

I'm planning on using a static IP for a few iPTables based firewalls.

I just bought a book on IPTables and am reading through it. Just trying to see what the difference is between what I listed here.

I appreciate it.

tarballed
 
Old 12-09-2004, 07:55 PM   #2
Butt-Ugly
Member
 
Registered: Nov 2004
Location: Brisbane, Australia
Distribution: Fedora Core 5
Posts: 89

Rep: Reputation: 15
SNAT and Masquerading are virtually the same, they both change the source address as the packets depart your firewall (POSTROUTING).

Masquerading should be used where you have a dynamic connection and the IP address is likely to change (maybe on ppp0). That way masquerading just picks up the new dynamic IP and uses that to change addresses.

SNAT has some connection tracking advantages where if your link goes down for a short while, it will remember the connections that are still open/active and continue on when the link returns (depending on timeouts etc..). Masq does not, it clears the state each time it comes up as a saveguard.

DNAT changes the destination address of a packet before it is subject to routing (PREROUTING), and is mostly used to allow external (global) IPs into your private network by redirecting it. There are after requirements needed also (input/forward etc..).

Here are some concepts.. http://www.brennan.id.au/06-Firewall_Concepts.html

BU
 
Old 12-10-2004, 12:39 PM   #3
tarballed
Member
 
Registered: Jun 2002
Distribution: RH, FC, FreeBSD,OpenBSD
Posts: 326

Original Poster
Rep: Reputation: 30
So in my guess, since I have a static IP, I do not need to worry about masquerading for the most part. I should work with SNAT and DNAT?
 
Old 12-10-2004, 04:45 PM   #4
Butt-Ugly
Member
 
Registered: Nov 2004
Location: Brisbane, Australia
Distribution: Fedora Core 5
Posts: 89

Rep: Reputation: 15
SNAT would be better for you than MASQUERADE, but they both work on outbound (leaving the server) packets. They replace the source IP address in the packets for their own external network device, when the packet returns, the NAT function knows who sent the packet and forwards it back to the originating workstation inside the network.

Code:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
      (same as)
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source <SERVER'S_EXTERNAL_IP>
DNAT works on packets coming into the server. Here the webserver is located inside the firewall on a bastion host (192.168.1.24). We're letting people in through the external packet filter to the internal web server, and they don't even know it's happening. Infact we could even change the operating port in the bastion web server and just adjust the rule, they still wouldn't know.

Code:
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.24:80
DNAT and SNAT do different functions, sometimes people get confused and think if they write a SNAT they need to write DNAT as well - not true. Pick which rules you need for the task.

WARNING.. MASQ may work in either direction if your rules are too simple "iptables -t nat -A POSTROUTING -j MASQUERADE". Always specify an (-o) out interface as a minimum guide.

BU.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
MASQUERADE vs. DNAT/SNAT Palula Linux - Networking 9 08-12-2005 11:23 AM
IPtables: SNAT & Aliasing kegwell Linux - Security 2 01-05-2005 09:55 PM
iptables DNAT pshepperd Linux - Security 1 05-22-2004 04:56 PM
[MS Direct Play DNAT SNAT] MrGreg Linux - Networking 2 06-09-2002 07:58 PM
IPTables - DNAT, SNAT, port forwarding FunkFlex Linux - Security 2 01-15-2002 08:18 PM


All times are GMT -5. The time now is 01:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration