Re: [K12OSN] problem with MASQUERADE

["Christopher K. Johnson" <ckjohnson gwi net>]

Julius Szelagiewicz wrote:

> On Mon, 22 Dec 2003 jam mcquil com wrote:
>  
>
> > You want natting but you don't want masquerade ?
> >
> > Aren't they the same thing ?
> >
> >    
> Jim, they are not natting refers to going to a private address range from
> an ip address, MASQUERADE *hides* natting. julius
>  
Sorry Julius, I think Jim is right.

masquerade is a specific type of network address translation, equivalent 
to source natting (SNAT), but taking the address from the interface, and 
invalidating the connection table entries if the interface is brought 
down and up again.

One can route packets from a private address subnet over to a public 
address subnet, but if not source nat'd in the process then the packets 
all show a return address in the private network.  And no ISP will route 
responses to those packets back to you, so connections fail.

You must apply either a MASQUERADE or SNAT rule to be successful in this 
scenario.  Something like the following, with either the MASQUERADE or 
the SNAT rule uncommented.  Use your real public interface address for 
this box in lieu of the x.x.x.x

------------------ start snippet of iptables --------------------
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# do masquerading of private->public communications
# If on dynamicly assigned public address:
#-A POSTROUTING -o eth1 -j MASQUERADE
# If on staticly assigned public address:
#-A POSTROUTING -o eth1 -j SNAT --to-source x.x.x.x
                                                                               

COMMIT
------------------ end snippet of iptables --------------------

Running the k12ltsp distro provided nat service is equivalent to the 
MASQUERADE rule plus turning on IP routing.

I suspect the problem is we don't really understand what you are trying to accomplish, and you are frustrated by not being familiar with the nomenclature to describe it accurately.  Let's see if we can get back on track.

If you are using squid with transparent proxying, you probably have a rule like this in the nat table for iptables:

-A PREROUTING -I eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

What this is doing in conjunction with squid is causing any connections to port 80 anywhere outside the private network to terminate at port 3128 on the local eth0 address, unbeknownst to the browsers at the workstations.  This is a special form of DNAT or destination network address translation, wherein the destination IP address is changed to the local machine, and the destination port changed to 3128.  Squid is listening on that port and making new connections to the intended destinations, thus the outside world sees all connections as originating  at the system running squid.  That is true if you have the redirect rule above in place, even before a MASQUERADE rule is applied or not.

So those are the pieces and some terminology.
How are they deployed in your environment?
And what is it you are trying to accomplish?

Chris

--
-----------------------------------------------------------
  "Spend less!  Do more!  Go Open Source..." -- Dirigo.net
  Chris Johnson, RHCE #807000448202021