How to NAT and what is the different between NAT and Masquerade?
Jose Celestino
japc@co.sapo.pt
Fri, 20 Jul 2001 13:18:20 +0100
--LZvS9be/3tNcYl/X
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Thus spake linux_netfilter, on Fri, Jul 20, 2001 at 07:32:07PM +0800:
> Hi!
> I have some questions about NAT & Masquerade.
> 1:Are they same?
> 2:The envirment is such as below:
> +------+
> /|pc2 |192.168.0.2
> eth0 +------+eth1 / +------+
> <=3D=3D=3D=3D=3D=3D=3D=3D=3D|PC1 |-------\
> 1.1.1.1| |192.168 \+------+
> +------+ .0.1 |pc3 |192.168.0.3
> +------+
>=20
> There are linux OS in pc1 which have installed iptables.Now I=20
> want to make a NAT(Masquerade).There are the step(only I think):
>=20
> step1:configer the gateway of both pc2,pc point to 192.168.0.1;
> step2:iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.1.1.1
>=20
Yep basically, and don't forget the
echo "1" > /proc/sys/net/ipv4/ip_forward
or you packets won't be forwarded between interfaces and the Source Nat
won't work.
> Here are some questions too.above rule is from nat-howto,but I=20
> suspect I can't really understand the howto perhaps.beacause the=20
> default gateway is eht1 but "-o eh0" there.
The -o specifies the interfaces from which the packets get out of when
then transverse the nat table, in the case eth0.
> Need I add a route on=20
> eth0 so that let etho point to eth1?
Nop, routing between interfaces on a dual homed machine should be
transparent.
>But how eth0 know which packet
> need to nat?only according the diffrence of IP address of the packets?
>=20
It is not eth0 who does the nat, eth0 is only a network interface. The
nat is done by the kernel and he knows what to nat because you told him,
"iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.1.1.1", nat
everything that passes POSTROUTING. As all packets going out are SNATed
(because you haven't specified any -s, -d, etc).
> step3:add routes so that eh0--->eth1(for internal ip) eth1-->eth0(for=20
> external ip).
>=20
There's no need to do this.
> Any answer is appreciated.Or please give me a set rules about the
> envirment above and let me thinking by myself.
> linux_netfilter
> linux_netfilter@sina.com
>=20
Think.
--=20
Jose Celestino <japc@co.sapo.pt>
---------------------------------
Systems Administration - PT Multimedia - SAPO
** http://www.sapo.pt
Repeated reboots of the system failed to solve problem.
--LZvS9be/3tNcYl/X
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7WCGLG4uBQQexNjsRAksfAJ4wc/HkW912LynJBN2e1tCQSXPCOgCdHdCt
1+n3zOsbBHoEKznRyZySTEw=
=GMIZ
-----END PGP SIGNATURE-----
--LZvS9be/3tNcYl/X--