[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


I am trying to figure out which is the best way to do some masquerading
of my internal LAN.

Now after reading the howtos it seems it is possible to use SNAT or
MASQUERADE.  The document says you should use MASQUERADE if you are on a
dynamic IP address (which I am).  However, I can easily determine my IP
address for my firewall script and do exactly this anyway.  So I would
think that either option is open.  Also the document says that SNAT is
more efficient because it says that MASQUERADE has to look up the IP
address _each_ time.

So to give some fixed examples:

I thought I could use rules like this:
INET_IP=`ifconfig $EXT_IF | grep inet | cut -d : -f 2 | cut -d \  -f 1`
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source $INET_IP

or I could use a rule like this:
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Which would be the best way in terms of efficiency and security?


Attachment: pgphiqAWiLgRX.pgp
Description: PGP signature

Reply to: