More than one of our docs issues revolve around some confusion between "IP masquerading" and "SNAT" -- a confusion I might share, or if contagious, I may be catching. <g> I think of SNAT more or less as a special case of IP masquerading, applicable when, for example, the external interface has multiple IP''s and you choose to _explicitly_ set the address through which internal clients will appear (from Internet servers) to be coming. On the other hand, IP masquerading is a general, non-differentiated, non-specific mapping, being essentially "hide me behind that external interface X, whatever address it might be using," Is there a different or more significant distinction between these terms in the Shorewall/iptables universe that I''m missing? TIA
On Wed, 5 Jun 2002, Ron Shannon wrote:> More than one of our docs issues revolve around some confusion between > "IP masquerading" and "SNAT" -- a confusion I might share, or if > contagious, I may be catching. <g> > > I think of SNAT more or less as a special case of IP masquerading, > applicable when, for example, the external interface has multiple IP''s > and you choose to _explicitly_ set the address through which internal > clients will appear (from Internet servers) to be coming. On the other > hand, IP masquerading is a general, non-differentiated, non-specific > mapping, being essentially "hide me behind that external interface X, > whatever address it might be using," >I would say that masquerading is a special case of SNAT where the system determines the source IP address to use. You can use straight SNAT any time that you have _one or more_ static external IP addresses. When you have a single dynamic external IP address, you must use Masquerading. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> I would say that masquerading is a special case of SNAT where=20 > the system > determines the source IP address to use. You can use straight SNAT any > time that you have _one or more_ static external IP=20 > addresses. When you > have a single dynamic external IP address, you must use Masquerading. >=20 > -TomWould it also be correct to say that SNAT may be implemented in both many-to-one and one-to-one translation situations, in other words, with one or many internal hosts within the scope of the rule? Ron
On Wed, 5 Jun 2002, Ron Shannon wrote:> > I would say that masquerading is a special case of SNAT where > > the system > > determines the source IP address to use. You can use straight SNAT any > > time that you have _one or more_ static external IP > > addresses. When you > > have a single dynamic external IP address, you must use Masquerading. > > > > -Tom > > Would it also be correct to say that SNAT may be implemented in both many-to-one and one-to-one translation situations, in other words, with one or many internal hosts within the scope of the rule? >Yes. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> > Would it also be correct to say that SNAT may be=20 > implemented in both many-to-one and one-to-one translation=20 > situations, in other words, with one or many internal hosts=20 > within the scope of the rule? > >=20 >=20 > Yes. >=20 > -TomHurray! Then I''m still on the same planet... at least for this terminology. :-) =20