Shulou(Shulou.com)06/01 Report--

This article mainly talks about "what is the difference between SNAT and MASQUERADE in iptables". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Let the editor take you to learn "what is the difference between SNAT and MASQUERADE in iptables?"

I. the concept of SNAT and DNAT

IPtables can flexibly do a variety of network address translation (NAT), there are mainly two kinds of network address translation: SNAT and DNAT.

SNAT is an acronym for source network address translation, that is, source address destination translation. For example, multiple PCs use an ADSL router to share the Internet, and each PC is configured with an intranet IP. When a PC accesses an external network, the router replaces the source address in the packet header with the router's ip. When a server in the external network, such as a website web server, receives an access request, its log records the ip address of the router, not the intranet ip of the PC, because The "source address" in the header of the packet received by this server has been replaced, so it is called SNAT, address translation based on the source address.

DNAT is the abbreviation of destination network address translation, that is, the target network address translation. A typical application is that a web server is placed on the intranet to configure the private network ip, and the front end is equipped with a firewall to configure the public network ip. Visitors on the Internet use the public network ip to access the website. When visiting, the client sends out a data packet. In the header of the data packet, the destination address is the public network ip of the firewall. The firewall will rewrite the header of the packet once, rewrite the destination address to the intranet ip of the web server, and then send the packet to the intranet web server, so that the packet will penetrate the firewall and change from the public network ip to an access to the intranet address, that is, DNAT, destination-based network address translation.

II. MASQUERADE concept

MASQUERADE, address camouflage, has a similar effect to SNAT in iptables, but there are some differences. But when using SNAT, the address range of the egress ip can be one or multiple, for example:

The following command indicates that all packets on the 10.8.0.0 network segment are SNAT into 192.168.5.3 ip and then sent.

The code is as follows:

Iptables-t nat-A POSTROUTING-s 10.8.0.0 pound 255.255.255.0-o eth0-j SNAT-to-source 192.168.5.3

The following command indicates that all packets of the 10.8.0.0 network segment are SNAT into 192.168.5.3 ip, 192.168.5.4 and 192.168.5.5, and then sent out.

The code is as follows:

Iptables-t nat-A POSTROUTING-s 10.8.0.0Universe 255.255.255.0-o eth0-j SNAT-to-source 192.168.5.3-192.168.5.5

This is how SNAT is used, that is, it can be NAT into one address or NAT into multiple addresses, but for SNAT, no matter how many addresses are, the ip to be SNAT must be clearly specified. If the current system uses ADSL dynamic dialing, then the exit ip192.168.5.3 will change every time you dial, and the change is very large, not necessarily the address in the range of 192.168.5.3 to 192.168.5.5. At this time, there will be a problem if you configure iptables in the current way, because the server address will change after each dial, and the ip in the iptables rule will not change automatically. After each address change, you must manually modify the iptables and change the fixed ip in the rule to a new ip, which is very difficult to use.

MASQUERADE is designed for this scenario, and its function is to automatically obtain the current ip address from the server's network card to do NAT.

For example, the following command:

The code is as follows:

Iptables-t nat-A POSTROUTING-s 10.8.0.0Universe 255.255.255.0-o eth0-j MASQUERADE

In this configuration, there is no need to specify the target ip of the SNAT. No matter what kind of dynamic ip,MASQUERADE is obtained at the exit of the eth0, the dynamic ip,MASQUERADE will automatically read the eth0's current ip address and then SNAT it out, thus achieving a good dynamic SNAT address translation.

At this point, I believe you have a deeper understanding of "what is the difference between SNAT and MASQUERADE in iptables". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.