Hi Guys

I'm studying for an upcoming Exam and just cant get my head around Masquerading with iptables.

Picture this scenario, I have a laptop connected to the internet via a wireless router. On the laptop I have a couple of KVM Virtual Machines, each on a seperate private /24 subnet. If I enable IP forwarding in sysctl, and add a static routing entry both VM's can access the internet just fine. There are no iptables rules in place.

So why would I want to use the masquerading option? Even if I did set the iptables default policy to DROP on the forward chain, I can just add a rule to accept traffic over the interfaces.

I'm obviously missing something really stupid here but just can't get my head around it.

Is masquerading just a way of doing routing with iptables rules instead of creating a static route? Everything I've read makes it look like I have the results of masquerading already yet my iptables config is blank!

Thanks

Masquerading = NAT Overloading (you may want to Google that). It has very little to do with routing, other than the fact that it takes place on a system acting as a router.

And yes, I agree that you seem to have a working NAT setup, even though you haven't created any iptables rules. Perhaps some KVM script adds the required rules automatically? Does iptables -t nat -L POSTROUTING show an empty POSTROUTING chain?

1 members found this post helpful.

Thanks for the reply, I knew it was something stupid!

When looking at iptables -L (input/output/forward) there were no rules, but even if I did an iptables -F the rules were still in the NAT table!