[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables: SNAT vs MASQUERADE

* Jeff Bonner (jeff@integralogic.com) [020208 21:30]:
> I'm trying to figure out some things about using MASQUERADE instead of
> SNAT.  I have made some assumptions below, please correct me if I'm
> wrong.
> 1) What is the benefit of doing it this way -- not having to specify the
> external IP?  If so, I guess it gets the IP from inside the kernel, like
> you would normally grep 'inet addr' out of ifconfig.  Does that mean the
> firewall doesn't have to be run every time the DHCP changes?

Right. MASQUERADE is intended for use with dynamic addresses. The other
thing that it does differently is that if the link goes down, entries in
the nat table will be dropped with MASQUERADE. If you're using SNAT, the
entries stay in the table in case the link comes back up momentarily.
This makes sense for MASQUERADE, because when the link comes back up,
the address will (could) be different anyway, so the connections won't
ever be resumed.

> 2) The docs say this will use more overhead than SNAT, since it seeks
> the external IP every time a chain is traversed.  How much more
> intensive is it?  Will a 486/66 with 24MB be enough for 5 LAN users?

I think you'll be fine, if that's all the box will be doing. I'd bet
that the difference is very small. If you keep it lean enough there
should be no problems. I bet a box like that could even run apache
and/or an MTA for you, too, without problems.

> 3)  Are there any security implications using MASQUERADE instead of SNAT
> (less/more secure)?

I don't think so; I've never heard of any such things.

good times,

Currently seeking opportunities in the SF Bay Area
Please see http://www.doorstop.net/resume/
"I disapprove of what you say, but I will defend to the death your right
to say it." --Beatrice Hall, The Friends of Voltaire, 1906

Attachment: pgpxHhqT3rWbO.pgp
Description: PGP signature

Reply to: