69

What is the difference between a Source NAT, Destination NAT and Masquerading?

For example, I thought IP Masqurading was what they used to call it in Linux? But what confuses me is that in our Astaro firewall there is IP Masquarading as well as NAT options. What's the difference between all these?

Zoredache
  • 128,755
  • 40
  • 271
  • 413
hookenz
  • 14,132
  • 22
  • 86
  • 142
  • In case you are wondering for Sophos the precedence is DNAT, SNAT, Masquerading – lmf Jan 09 '15 at 10:26

1 Answers1

102

Source NAT changes the source address in IP header of a packet. It may also change the source port in the TCP/UDP headers. The typical usage is to change the a private (rfc1918) address/port into a public address/port for packets leaving your network.

Destination NAT changes the destination address in IP header of a packet. It may also change the destination port in the TCP/UDP headers.The typical usage of this is to redirect incoming packets with a destination of a public address/port to a private IP address/port inside your network.

Masquerading is a special form of Source NAT where the source address is unknown at the time the rule is added to the tables in the kernel. If you want to allow hosts with private address behind your firewall to access the Internet and the external address is variable (DHCP) this is what you need to use. Masquerading will modify the source IP address and port of the packet to be the primary IP address assigned to the outgoing interface. If your outgoing interface has a address that is static, then you don't need to use MASQ and can use SNAT which will be a little faster since it doesn't need to figure out what the external IP is every time.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • Thanks, that explains it very well. So source nat and probably masquerading too is equivalent to the nat keyword in freebsd's ipf while destination nat is equivalent to the rdr keyword in ipf. – hookenz Mar 07 '10 at 20:20
  • Just found out that for freebsd, masquerading is handled by a rule like map ppp0 10.0.0.0/8 -> 0/32 (where the 0/32 indicates a dynamic ip). – hookenz Mar 07 '10 at 20:30
  • 1
    Perfect answer, thanks, is not too long but really complete. – elbarna May 07 '20 at 23:59
  • So the Source NAT, Destination NAT are indeed different from Static NAT and Dynamic NAT – OK999 May 20 '20 at 18:29
  • 1
    10 years later. This is an awesome clear answer – Michael Aug 15 '20 at 17:30