Differences between MASQ and SNAT ...
Henrik Nordstrom
hno@marasystems.com
Wed, 11 Jul 2001 19:38:42 +0200
Nevo Hed wrote:
> I notices that the MASQ target is almost the same as SNAT
> but you do not need to specify addresses for the translation
> the man page said that its only for dialup style connections.
MASQ is intended for where your outgoing interface may change from time to
time. Not specific to dial-up but also applies to any other type of
connection with temporary IP addresses.
> Since my connection is not a dialup is there a way to specify a SNAT
> target
> without specifying the address (i.e. choose automatically the address
> of the egress interface)?
Nope. You must know the address. The main difference between MASQ and
SNAT is that MASQ automatically kills old sessions when the interface goes
down, from the assumtion that you do not want these to be kept in a dial-up
environment.
As SNAT is POSTROUTE, you always have the output interface available, so
there is no problem selecting the correct IP based on which interface the
packet is sent via.
> On a similar note .. as I was experimenting withe the above I replaced a
> SNAT
> rule with a s MASQ rule and things didnt work untill I restarted the
> firwall
Should not be needed, at least not for TCP. Any new connections should be
SNAT:ed after you have inserted the rule. If not then there is a bug.
Any already existing connections won't be SNAT:ed. This is per design of
netfilter NAT.
> is there a way to flush SOME of the conntrack entries?
See ctnetlink in patch-o-matic..
--
Henrik Nordstrom
MARA Systems