MASQUERADE and SNAT

[Claude Jones]

Robert Nichols wrote:
| Claude Jones wrote:
|| So, my questions: Is this a product of my imperfect reading of
|| the manual, an instance of wrong documentation, a bit of both?
|| By using MASQUERADE and not SNAT, have I exposed my box to any
|| mischief?
| 
| MASQUERADE is just a special form of SNAT that automatically
| picks up the external IP address from the outgoing interface. 
| For SNAT, you have to supply the --to-source address, and
| making that match 
| a dynamically assigned IP address would be a problem. 
| MASQUERADE also has the effect that the connection is forgotten
| when the interface goes down, whereas SNAT tracking information
| would remain. That makes MASQUERADE preferable if you are
| likely to get a different IP address each time you connect. 
| The old connection is lost anyway, so there's no point in
| keeping the tracking entry. 
| 
| While the connection is established, MASQUERADE and SNAT behave
| the same.

OK - that makes sense. So, it sounds like I still need to
troubleshoot my SNAT rule. From what you're saying, it doesn't
sound like I've opened any vulnerabilities, though. My SNAT rule
did have the --to-source entry, but I guess I need to take a look
at that syntax again. Thanks. 

Claude Jones
Levit & James, Inc./WTVS
Leesburg, VA, USA