MASQUERADE and SNAT
Claude Jones
claude_jones at levitjames.com
Mon Mar 14 17:01:04 UTC 2005
This is really a continuation of a thread "Lan to Wan reprise" but
with a diverging topic. Perhaps someone who didn't follow the
first thread may pick up on this subject line and offer an
explanation.
I recently have had to configure the same Linux box in two
different locations. This machine is serving as a router, web
gateway, dhcp controller for my lan, and web server, among other
things. I had a huge hassle configuring the first time, because
the iptables manual, and numerous tutorials I used on the net all
said to configure my iptables with SNAT to allow access to the net
from inside the lan. FC3's iptables manual is explicit about this:
SNAT is for use with static IP addresses and MASQUERADE is for use
with dynamic ones, they cite dialup. Despite this, after many
hassles, I believe it was Scot H who suggested I had to implement
MASQUERADE, even in my configuration. The same problem just
reoccurred at home. I began having problems as soon as I brought
the machine home, and that led to a concatenated series of
trial-and-error attempts, that led to my turning off MASQUERADE;
in the end, when I got everything else configured right, the final
step was to turn MASQUERADE back on.
So, my questions: Is this a product of my imperfect reading of the
manual, an instance of wrong documentation, a bit of both? By
using MASQUERADE and not SNAT, have I exposed my box to any
mischief?
Claude Jones
Bluemont, VA, USA
More information about the fedora-list
mailing list