[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IP Routing

On 7/31/05, LeVA <leva@az.isten.hu> wrote:
> 2005. július 31. 21:43,
> Nelson Castillo <nelsoneci@gmail.com>
> -> Shafiuddin russel <russel_lf@yahoo.com>,debian-firewall@lists.debian.org:
> > Hi.
> >
> > PS:
> >
> > Once you get it to work, read a little about iptables and try to
> > protect yourself.
> > Check this out later:
> > http://cgi.afc.no-ip.info/svnwiki.cgi/default/firewalls This tip is
> > different, because 2 NICs are used.
> Hi!
> I've read that page, and it says that if I have dynamic ip I should use
> MASQUERADE rather than NAT. What is the difference between the two?

I read that the difference is that there is a little more overhead when
doing MASQUERADE, but only for the first packet of the connection.
The kernel will need to query the IP of the outgoing interface for
every packet of a new connection (or for every packet if you're using UDP,
I guess but I'm not sure). This is useful if you have a dynamic address,
but this doesn't make much sense if you have one or more static IPs.

You might find this thread useful:


  > What if I have a static IP, and I'm using MASQUERADE instead of NAT?

I guess it will just work... if you use MASQUERADE instead of SNAT.
But it's better to use SNAT.

The opposite is not true. If you have a dynamic IP and you use SNAT,
then you will have to run some scripts to update the SNAT IP whenever
your real IP changes.


Homepage : http://geocities.com/arhuaco

The first principle is that you must not fool yourself
and you are the easiest person to fool.
     -- Richard Feynman.

Reply to: