Re: SNAT or MASQUERADE?

To: debian-firewall@lists.debian.org
Subject: Re: SNAT or MASQUERADE?
From: mdevin@ozemail.com.au
Date: Wed, 5 Dec 2001 11:32:39 +1000
Message-id: <[🔎] 20011205113239.B2138@flea.home>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20011202035955.A21312@UnderGrid.net>; from jbouse@debian.org on Sun, Dec 02, 2001 at 03:59:55AM -0800
References: <[🔎] 20011202113620.D12186@beast.home> <[🔎] 20011201210234.43f3584a.dbarclay10@yahoo.ca> <[🔎] 20011202151816.B13870@beast.home> <[🔎] 20011202155731.E13870@beast.home> <[🔎] 20011202170504.A14441@beast.home> <[🔎] 20011202035955.A21312@UnderGrid.net>

On Sun, Dec 02, 2001 at 03:59:55AM -0800, Jeremy T. Bouse wrote:
> On Sun, Dec 02, 2001 at 05:05:04PM +1000, mdevin@ozemail.com.au wrote:
> > I just found this in the NAT-Howto:
> > ----- snip ------
> > There is a specialized case of Source NAT called masquerading: it should
> > only be used for dynamically-assigned IP addresses, such as standard
> > dialups (for static IP addresses, use SNAT above). 
> > 
> > You don't need to put in the source address explicitly with
> > masquerading: it will use the source address of the interface the packet
> > is going out from.  But more importantly, if the link goes down, the
> > connections (which are now lost anyway) are forgotten, meaning fewer
> > glitches when connection comes back up with a new IP address.
> > ----- snip ------
> > 
> 
> 	Glad you found this as I just got home and after reading the inital
> post wonder'd if someone else was gonna mention this... If you have a 
> dynamic IP and want the script to work no matter what you use MASQUERADE
> and don't specify the IP to masq as... On the other hand if you have static
> addresses that won't change then SNAT is great... 
> 
> 	One drawback of masquerading over SNAT is you can't use DNAT with
> masquerading... Then again without static addresses DNAT really doesn't 
> make much sense...
> 
I didn't know you couldn't use DNAT if you used Masquerading.  Are you
sure?

One case where you may want to do this would be the following:

You have a dialup / cable link to the internet that gets a dynamic IP
assigned.  The firewall box has the connection to the internet with this
dynamic IP.  You have a LAN which can connect to the internet through
the firewall box using Masquerading.

You use one of those dynamic DNS servers to update your IP address to
your registered internet name (this.is.myhost.com).  Thus people can
find you (this.is.myhost.com) and connect from outside.  You have a
Webserver behind your firewall box which you want to DNAT port 80
requests to.  Thus people who try to connect to this.is.myhost.com port
80 will actually connect to the Webserver box behind your firewall.

This I assumed was possible to do.  ie. to use both Masquerading and
DNAT - but each would be operating on different streams of traffic.

I hope this is possible.

Cheers.
Mark.

Attachment: pgpfcTkwQ6rMm.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: SNAT or MASQUERADE?
  - From: martin f krafft <madduck@madduck.net>

References:
- SNAT or MASQUERADE?
  - From: mdevin@ozemail.com.au
- Re: SNAT or MASQUERADE?
  - From: David B Harris <dbarclay10@yahoo.ca>
- Re: SNAT or MASQUERADE?
  - From: mdevin@ozemail.com.au
- Re: SNAT or MASQUERADE?
  - From: mdevin@ozemail.com.au
- Re: SNAT or MASQUERADE?
  - From: mdevin@ozemail.com.au
- Re: SNAT or MASQUERADE?
  - From: "Jeremy T. Bouse" <jbouse@debian.org>

Prev by Date: Re: Why all these unclean packets?
Next by Date: Re: Why all these unclean packets?
Previous by thread: Re: SNAT or MASQUERADE?
Next by thread: Re: SNAT or MASQUERADE?
Index(es):
- Date
- Thread