SNAT would be better for you than MASQUERADE, but they both work on outbound (leaving the server) packets. They replace the source IP address in the packets for their own external network device, when the packet returns, the NAT function knows who sent the packet and forwards it back to the originating workstation inside the network.
Code:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
(same as)
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source <SERVER'S_EXTERNAL_IP>
DNAT works on packets coming into the server. Here the webserver is located inside the firewall on a bastion host (192.168.1.24). We're letting people in through the external packet filter to the internal web server, and they don't even know it's happening. Infact we could even change the operating port in the bastion web server and just adjust the rule, they still wouldn't know.
Code:
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.24:80
DNAT and SNAT do different functions, sometimes people get confused and think if they write a SNAT they need to write DNAT as well - not true. Pick which rules you need for the task.
WARNING.. MASQ may work in either direction if your rules are too simple "iptables -t nat -A POSTROUTING -j MASQUERADE". Always specify an (-o) out interface as a minimum guide.
BU.