Claude Jones wrote:
I recently have had to configure the same Linux box in two
different locations. This machine is serving as a router, web
gateway, dhcp controller for my lan, and web server, among other
things. I had a huge hassle configuring the first time, because
the iptables manual, and numerous tutorials I used on the net all
said to configure my iptables with SNAT to allow access to the net
from inside the lan. FC3's iptables manual is explicit about this:
SNAT is for use with static IP addresses and MASQUERADE is for use
with dynamic ones, they cite dialup. Despite this, after many
hassles, I believe it was Scot H who suggested I had to implement
MASQUERADE, even in my configuration. The same problem just
reoccurred at home. I began having problems as soon as I brought
the machine home, and that led to a concatenated series of
trial-and-error attempts, that led to my turning off MASQUERADE;
in the end, when I got everything else configured right, the final
step was to turn MASQUERADE back on.
So, my questions: Is this a product of my imperfect reading of the
manual, an instance of wrong documentation, a bit of both? By
using MASQUERADE and not SNAT, have I exposed my box to any
mischief?
MASQUERADE is just a special form of SNAT that automatically picks
up the external IP address from the outgoing interface. For SNAT,
you have to supply the --to-source address, and making that match
a dynamically assigned IP address would be a problem. MASQUERADE
also has the effect that the connection is forgotten when the
interface goes down, whereas SNAT tracking information would remain.
That makes MASQUERADE preferable if you are likely to get a
different IP address each time you connect. The old connection is
lost anyway, so there's no point in keeping the tracking entry.
While the connection is established, MASQUERADE and SNAT behave
the same.
--
Bob Nichols rnichols42@xxxxxxxxxxx
