Difference between SNAT and Masquerade

by

I am confused what’s the actual difference between SNAT and Masquerade?

If I want to share my internet connection on local network then whether should I select SNAT or Masquerade?

Contents hide
Answers:
Method 1
Method 2
Method 3

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

The SNAT target requires you to give it an IP address to apply to all the outgoing packets. The MASQUERADE target lets you give it an interface, and whatever address is on that interface is the address that is applied to all the outgoing packets. In addition, with SNAT, the kernel’s connection tracking keeps track of all the connections when the interface is taken down and brought back up; the same is not true for the MASQUERADE target.

Good documents include the HOWTOs on the Netfilter site and the iptables man page.

Method 2

SNAT and MASQUERADE do the same source NAT thingy in the nat table within the POSTROUTING chain.

Differences

  • MASQUERADE does NOT require --to-source as it was made to work with dynamically assigned IPs
  • SNAT works ONLY with static IPs, that’s why it requires --to-source
  • MASQUERADE incurs extra overhead and is slower than SNAT because each time MASQUERADE target gets hit by a packet, it has to check for the IP address to use.

NOTE: A typical use case for MASQUERADE: AWS EC2 instance in a VPC, it has a private IP within the VPC CIDR (e.g. 10.10.1.0/24) – 10.10.1.100 for example, it also has a public IP associated with it so as to communicate with the Internet (assume it is in a public subnet) through which the private IP does 1:1 NAT (AWS Network Infrastructure magic). The public IP may change after instance power cycles – stop then start (if NOT an EIP), MASQUERADE is a better option in this use case.

Important: It is still possible to use MASQUERADE target with static IP, just be aware of the extra overhead.

References

Method 3

Short answer: use SNAT

Explanation: I just tried removing the masquerade rule on my raspbian router (which speaks to another router, via eth0 where the interfaces IP address is 192.168.8.2 and is static) and the internet sharing continued to work. The commands I tried were:-

iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.8.2


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x