Meanings of SNAT, DNAT and masquerade in iptables

Hello everyone , I meet you again , I'm your friend, Quan Jun .

IPtables Can be flexible to do a variety of network address conversion （NAT）, There are two main types of network address conversion ：SNAT and DNAT.

SNAT yes source networkaddress translation Abbreviation , That is, source address target conversion . such as , Multiple PC Machine use ADSL Routers share the Internet , Every PC The machines are all equipped with an intranet IP,PC When the computer accesses the external network , The router replaces the source address in the packet header with the router's ip, When external network servers such as websites web When the server receives an access request , His log records the router's ip Address , instead of pc The intranet of the machine ip, This is because , In the header of the packet received by this server “ source address ”, It has been replaced , So it's called SNAT, Address translation based on source address .

DNAT yes destination networkaddress translation Abbreviation , That is, target network address translation , The typical application is , There is one web The server is placed in the intranet, and the intranet is configured ip, The front end has a firewall to configure the public network ip, Visitors on the Internet use the public network ip To visit this website , When visiting , The client sends out a packet , In the header of this packet , The target address is the public network of the firewall ip, The firewall will rewrite the header of this packet once , Rewrite the destination address to web The intranet of the server ip, Then send the packet to the intranet web Server , such , The packet goes through the firewall , And from the public network ip It becomes an access to the intranet address , namely DNAT, Target based network address translation .

MASQUERADE, Address camouflage , Count as snat A special case of , Can be automated snat.

stay iptables There are and SNAT Similar effect , But there are some differences , But use SNAT When , exit ip The address range of can be a , It can be multiple , for example ：

The following command means to put all 10.8.0.0 Packet of network segment SNAT become 192.168.5.3 Of ip Then send it out ,

iptables-t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNAT –to-source192.168.5.3

The following command means to put all 10.8.0.0 Packet of network segment SNAT become 192.168.5.3/192.168.5.4/192.168.5.5 Wait a few ip Then send it out

iptables-t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j SNAT –to-source192.168.5.3-192.168.5.5

This is it. SNAT How to use , That is to say NAT Make an address , It's fine too NAT To multiple addresses , however , about SNAT, No matter how many addresses , It must be specified that SNAT Of ip, If the current system uses ADSL Dynamic dialing , So every time you dial , exit ip192.168.5.3 Will change , And there's a lot of change , Is not necessarily 192.168.5.3 To 192.168.5.5 Address in range , At this time, if you configure it in the current way iptables There will be problems , Because after every dial , The server address will change , and iptables Within the rules ip It doesn't change automatically , Every time the address changes, you have to modify it manually iptables, Fix the rules inside ip Change to a new one ip, This is very difficult to use .

MASQUERADE It's designed for this kind of scene , His function is , From the network card of the server , Automatically get the current ip Address to do NAT.

For example, the command below ：

iptables-t nat -A POSTROUTING -s 10.8.0.0/255.255.255.0 -o eth0 -j MASQUERADE

In this configuration , Don't have to specify SNAT The goal of ip 了 , No matter now eth0 What's the dynamic of the export of ip,MASQUERADE Will automatically read eth0 current ip Address and do SNAT get out , In this way, a good dynamic SNAT address translation .

Publisher ： Full stack programmer stack length , Reprint please indicate the source ：https://javaforall.cn/148098.html Link to the original text ：https://javaforall.cn