Find the answer to your Linux question:
Results 1 to 5 of 5
Can someone tell me the difference between the next two lines? iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source <server-ip-here> iptables --table nat --append POSTROUTING --out-interface eth0 -j ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 06-14-2012 #1
    stu2000
    stu2000 is offline
    Just Joined!
    Join Date
    Apr 2012
    Posts
    45

    NAT fun! - do these two lines do the same thing?

    Can someone tell me the difference between the next two lines?

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source <server-ip-here>

    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

    Im guessing that the first line only affects packets that come in on 10.8.0.x and makes the packet look like it originated from this server.

    Im also guessing that the second line forwards all packets it recieves out through the eth0 device. Does the MASQUERADE bit make the packet appear as if it originated from this server just like in the first line?

    Stu
    Reply With Quote Reply With Quote
  2. 06-15-2012 #2
    Lazydog
    Lazydog is offline
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,629
    It all depends on how you are looking at them. As they are written they both do something different.

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source <server-ip-here>
    This rule is applied to all packets leaving the firewall and is not looking at the direction. In other words all packets are set to the ip address assigned no matter if they are leaving eth0 or eth1. All packets will have the source address of the assigned ip for that interface that is is exiting through.

    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    Says all packets leaving out eth0 should be re-addressed with the servers ip address of that interface.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted
    Reply With Quote Reply With Quote
  3. 06-15-2012 #3
    stu2000
    stu2000 is offline
    Just Joined!
    Join Date
    Apr 2012
    Posts
    45
    thanks for that. The last point was interesting. I didnt realise that. I guess that makes the first rule pretty dumb, as it would make all the packets recieved appear as if they originated from the server. If you applied an outward direction and interface eth0 to the first rule, they would do the same thing but the first would cost less resources right (assuming you had static instead of dynamic ip)? doesnt have to look up ip every time.
    Reply With Quote Reply With Quote
  4. 06-17-2012 #4
    Lazydog
    Lazydog is offline
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,629
    Some say you should use SNAT when you know the IP Address. I use MASQ all the time. It is simple and effective all the time. And should the server happen to be moved and re-addressed I don't have to remember to make any changes to the firewall rule.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted
    Reply With Quote Reply With Quote
  5. 06-28-2012 #5
    stu2000
    stu2000 is offline
    Just Joined!
    Join Date
    Apr 2012
    Posts
    45
    Thanks again! Id give you a +1 but there doesnt appear to be any type of rating system on here
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules