Choose SNAT if you have a static IP address for your Internet connection, and use
MASQUERADE if the IP address is assigned dynamically.
When you create the MASQUERADE or SNAT rule, it is added to the NAT table and the POSTROUTING
chain. For MASQUERADE, you must provide the name of the interface (such as eth0, ppp0, or slip0)
to identify the route to the Internet or other outside network. For SNAT you must also identify the
actual IP address of the interface.
The following examples assume that the connection to the Internet is provided through the first
Ethernet card (eth0). Here??™s an example of a MASQUERADE rule:
# iptables ??“t nat ??“A POSTROUTING ??“o eth0 ??“j MASQUERADE
477
Running a Linux Firewall/Router 18
And here??™s an example of a SNAT rule:
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 12.12.12.12
You can add several source addresses if you have multiple addresses that provide a route to the
Internet (for example, --to-source 12.12.12.1-12.12.12.254). Although MASQUERADE
uses some additional overhead, you probably need to use it instead of SNAT if you have a dial-up
connection to the Internet for which the IP address changes on each connection.
Make sure that IP forwarding is turned on in the kernel because it is off by default on most Linux
systems.
Pages:
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936