On Sun, Dec 02, 2001 at 03:59:55AM -0800, Jeremy T. Bouse wrote: > On Sun, Dec 02, 2001 at 05:05:04PM +1000, email@example.com wrote: > > I just found this in the NAT-Howto: > > ----- snip ------ > > There is a specialized case of Source NAT called masquerading: it should > > only be used for dynamically-assigned IP addresses, such as standard > > dialups (for static IP addresses, use SNAT above). > > > > You don't need to put in the source address explicitly with > > masquerading: it will use the source address of the interface the packet > > is going out from. But more importantly, if the link goes down, the > > connections (which are now lost anyway) are forgotten, meaning fewer > > glitches when connection comes back up with a new IP address. > > ----- snip ------ > > > > Glad you found this as I just got home and after reading the inital > post wonder'd if someone else was gonna mention this... If you have a > dynamic IP and want the script to work no matter what you use MASQUERADE > and don't specify the IP to masq as... On the other hand if you have static > addresses that won't change then SNAT is great... > > One drawback of masquerading over SNAT is you can't use DNAT with > masquerading... Then again without static addresses DNAT really doesn't > make much sense... > I didn't know you couldn't use DNAT if you used Masquerading. Are you sure? One case where you may want to do this would be the following: You have a dialup / cable link to the internet that gets a dynamic IP assigned. The firewall box has the connection to the internet with this dynamic IP. You have a LAN which can connect to the internet through the firewall box using Masquerading. You use one of those dynamic DNS servers to update your IP address to your registered internet name (this.is.myhost.com). Thus people can find you (this.is.myhost.com) and connect from outside. You have a Webserver behind your firewall box which you want to DNAT port 80 requests to. Thus people who try to connect to this.is.myhost.com port 80 will actually connect to the Webserver box behind your firewall. This I assumed was possible to do. ie. to use both Masquerading and DNAT - but each would be operating on different streams of traffic. I hope this is possible. Cheers. Mark.
Description: PGP signature