MASQUERADE vs. DNAT/SNAT

Palula · 08-11-2005, 10:05 AM

Hey there!!

I´d like some help regarding this issue. I have a book that doesnt cover anything related to MASQUERADE. It only covers DNAT and SNAT. At the office the system admin uses MASQUERADE and I´d like to know what is the difference. In wich cases should I use MASQUERADE, and in wich cases should I use DNAT/SNAT.

Thanks!!!

Matir · 08-11-2005, 10:24 AM

MASQUERADE is usually used for dynamic IPs, while SNAT is used for static ips (with SNAT you specify the IP you're natting FROM). DNAT is more used for port forwarding. Check out this page: http://www.baraka.ca/barbwire_tables.asp

Palula · 08-11-2005, 11:41 AM

Thanks a lot.
Nice link. But I already have another question...

Let´s suppose I have a LAN with 99 computers (192.168.100.1-192.168.100.100).

Quote:

(with SNAT you specify the IP you're natting FROM)

In this case I would have to specify a line for each one of the computers of my LAN? That seems like a lot of work to me...

Matir · 08-11-2005, 05:03 PM

no, sorry. You only need one, it just has your static ip in it. I *THINK* (though I've never done SNAT) it would be:

Code:

iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --from 99.99.99.99

Where 99.99.99.99 is your STATIC IP for the outside.

demian · 08-11-2005, 05:34 PM

Quote:

Originally posted by Matir
You only need one, it just has your static ip in it. I *THINK* (though I've never done SNAT)

Yup, that's correct. The syntax, however, is -j SNAT --to-source 99.99.99.99

Matir · 08-11-2005, 06:37 PM

Oops, sorry.

Like I said, never used it before. My ISP gives me DHCP, so I'm forced to use MASQUERADE. Though I honestly wonder if SNAT has many advantages, if any?

demian · 08-11-2005, 06:59 PM

The main difference I can think of is that when the link goes down the nat table is deleted when using MASQUERADE since chances are that the IP will change once the link comes back up. This is not true for SNAT. Here the NAT table stays even when the link goes down so that when it comes back up the connection can continues without a new handshake (provided it didn't time out on either side). Also SNAT performs a little better since it doesn't need to figure out the IP that belongs to the interface the NATing is done for. (This, however, doesn't really have any noticable effect now that most routers have an abundance of cpu cycles to burn.)

Matir · 08-11-2005, 07:04 PM

Yeah, my router is a PII/333. It's load averages are in the .05 range

The conntrack table being flushed, however, is an excellent point that I had not thought of.

Palula · 08-12-2005, 07:01 AM

Ahhhhhhhhhhh!!!
Thanks! I can now see the light.

Let´s create two scenarios:

Network 1: 192.168.100.0/24 - eth0 IP provided by DHCP
Netowrk 2: 192.168.100.0/24 - eth0 IP is static - 200.119.78.110 (tottaly random number)

Network 1 nat rule: iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j MASQUERADE
Network 2 nat rule: iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j SNAT --to-source 200.119.78.110

Are these rules Ok? And second: Would the security of my network be compromised in any way? (Thinking right, security has nothing to do with nat. Security is about the filter table isn´t it? But I´d like to read that it doesn´t from someone more experienced.)

I use DHCP too but knowing a bit more wouldn´t hurt anyone. Plus! On a big network, that uses a static valid IP, probably that line using the SNAT rule would bring, if not much, probably a little more productivity to that network wouldn´t it?

Matir · 08-12-2005, 10:23 AM

With realistically modern routing equipment (read: old p2 pcs) you can pretty much NAT most connections with no problem.

NAT is generally considered GOOD for security because it makes it impossible for the outside world to connect to the NATted computers without your permission. For example, to run a server behind NAT, you need to enable portforwarding and forward the proper port in.

Of course, the filter table is also important in locking it down more.