MASQUERADE and SNAT

[Robert Nichols]

Claude Jones wrote:
> I recently have had to configure the same Linux box in two
> different locations. This machine is serving as a router, web
> gateway, dhcp controller for my lan, and web server, among other
> things. I had a huge hassle configuring the first time, because
> the iptables manual, and numerous tutorials I used on the net all
> said to configure my iptables with SNAT to allow access to the net
> from inside the lan. FC3's iptables manual is explicit about this:
> SNAT is for use with static IP addresses and MASQUERADE is for use
> with dynamic ones, they cite dialup. Despite this, after many
> hassles, I believe it was Scot H who suggested I had to implement
> MASQUERADE, even in my configuration. The same problem just
> reoccurred at home. I began having problems as soon as I brought
> the machine home, and that led to a concatenated series of
> trial-and-error attempts, that led to my turning off MASQUERADE;
> in the end, when I got everything else configured right, the final
> step was to turn MASQUERADE back on. 
> 
> So, my questions: Is this a product of my imperfect reading of the
> manual, an instance of wrong documentation, a bit of both? By
> using MASQUERADE and not SNAT, have I exposed my box to any
> mischief? 

MASQUERADE is just a special form of SNAT that automatically picks
up the external IP address from the outgoing interface.  For SNAT,
you have to supply the --to-source address, and making that match
a dynamically assigned IP address would be a problem.  MASQUERADE
also has the effect that the connection is forgotten when the
interface goes down, whereas SNAT tracking information would remain.
That makes MASQUERADE preferable if you are likely to get a
different IP address each time you connect.  The old connection is
lost anyway, so there's no point in keeping the tracking entry.

While the connection is established, MASQUERADE and SNAT behave
the same.

-- 
Bob Nichols         rnichols42 at comcast.net