iptables: SNAT vs MASQUERADE

To: <debian-firewall@lists.debian.org>
Subject: iptables: SNAT vs MASQUERADE
From: "Jeff Bonner" <jeff@integralogic.com>
Date: Sat, 9 Feb 2002 00:28:26 -0500
Message-id: <[🔎] 007401c1b12a$996ee910$0200a8c0@JEFF>

I'm trying to figure out some things about using MASQUERADE instead of
SNAT.  I have made some assumptions below, please correct me if I'm
wrong.

1) What is the benefit of doing it this way -- not having to specify the
external IP?  If so, I guess it gets the IP from inside the kernel, like
you would normally grep 'inet addr' out of ifconfig.  Does that mean the
firewall doesn't have to be run every time the DHCP changes?

2) The docs say this will use more overhead than SNAT, since it seeks
the external IP every time a chain is traversed.  How much more
intensive is it?  Will a 486/66 with 24MB be enough for 5 LAN users?

3)  Are there any security implications using MASQUERADE instead of SNAT
(less/more secure)?

Thanks in advance,

Jeff Bonner

Reply to:

Follow-Ups:
- Re: iptables: SNAT vs MASQUERADE
  - From: Vineet Kumar <debian-security@virtual.doorstop.net>

Prev by Date: RE: Searching for an appropriate iptables script
Next by Date: Re: Searching for an appropriate iptables script
Previous by thread: iptables firewall example
Next by thread: Re: iptables: SNAT vs MASQUERADE
Index(es):
- Date
- Thread