A little doubt about MASQUERADE and SNAT/DNAT

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I know what SNAT and DNAT means.
And I know when I want to config a local net server open service to internet, I should use:



  • SNAT to help to change the packets coming from local net server to the router's address.

  • DNAT to help to change the packets coming from internet to the local net ip of the server

But when we share network using MASQUERADE, we don't need to config the DNAT for these packets coming from internet. Some articles says the MASQUERADE is the same as SNAT except for auto find router's external ip.But why MASQUERADE doesn't need the DNAT configuration? And suppose MASUQERADE can do these thing for us, why iptables doesn't auto set SNAT for us when we set DNAT?



Edit



I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?







share|improve this question






















  • You seem to assume snat is on the lan side and dnat on the wan (internet) side, but no, it means the [s]ource side and the [d]estination side. Packets coming from your internal server should be snated to the outward wan ip (the router's internet ip) to then communicate with internet hosts (clients or servers), and packets coming from internet (clients or servers) will be snated to the router's lan ip to then communicate with hosts on your lan (such as your internal server). Dnat is more rarely used.
    – Olivier Dulac
    Dec 15 '17 at 23:11











  • When you masquerade, the router masquerades as your internal server, so packets trying to reach the server just needs to reach the router's ip (without msaquerading, the internet send things to the router ip and the router then dnat to the appropriate internet server)
    – Olivier Dulac
    Dec 15 '17 at 23:15














up vote
1
down vote

favorite












I know what SNAT and DNAT means.
And I know when I want to config a local net server open service to internet, I should use:



  • SNAT to help to change the packets coming from local net server to the router's address.

  • DNAT to help to change the packets coming from internet to the local net ip of the server

But when we share network using MASQUERADE, we don't need to config the DNAT for these packets coming from internet. Some articles says the MASQUERADE is the same as SNAT except for auto find router's external ip.But why MASQUERADE doesn't need the DNAT configuration? And suppose MASUQERADE can do these thing for us, why iptables doesn't auto set SNAT for us when we set DNAT?



Edit



I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?







share|improve this question






















  • You seem to assume snat is on the lan side and dnat on the wan (internet) side, but no, it means the [s]ource side and the [d]estination side. Packets coming from your internal server should be snated to the outward wan ip (the router's internet ip) to then communicate with internet hosts (clients or servers), and packets coming from internet (clients or servers) will be snated to the router's lan ip to then communicate with hosts on your lan (such as your internal server). Dnat is more rarely used.
    – Olivier Dulac
    Dec 15 '17 at 23:11











  • When you masquerade, the router masquerades as your internal server, so packets trying to reach the server just needs to reach the router's ip (without msaquerading, the internet send things to the router ip and the router then dnat to the appropriate internet server)
    – Olivier Dulac
    Dec 15 '17 at 23:15












up vote
1
down vote

favorite









up vote
1
down vote

favorite











I know what SNAT and DNAT means.
And I know when I want to config a local net server open service to internet, I should use:



  • SNAT to help to change the packets coming from local net server to the router's address.

  • DNAT to help to change the packets coming from internet to the local net ip of the server

But when we share network using MASQUERADE, we don't need to config the DNAT for these packets coming from internet. Some articles says the MASQUERADE is the same as SNAT except for auto find router's external ip.But why MASQUERADE doesn't need the DNAT configuration? And suppose MASUQERADE can do these thing for us, why iptables doesn't auto set SNAT for us when we set DNAT?



Edit



I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?







share|improve this question














I know what SNAT and DNAT means.
And I know when I want to config a local net server open service to internet, I should use:



  • SNAT to help to change the packets coming from local net server to the router's address.

  • DNAT to help to change the packets coming from internet to the local net ip of the server

But when we share network using MASQUERADE, we don't need to config the DNAT for these packets coming from internet. Some articles says the MASQUERADE is the same as SNAT except for auto find router's external ip.But why MASQUERADE doesn't need the DNAT configuration? And suppose MASUQERADE can do these thing for us, why iptables doesn't auto set SNAT for us when we set DNAT?



Edit



I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?









share|improve this question













share|improve this question




share|improve this question








edited Dec 15 '17 at 9:42

























asked Dec 15 '17 at 7:11









Frio

84




84











  • You seem to assume snat is on the lan side and dnat on the wan (internet) side, but no, it means the [s]ource side and the [d]estination side. Packets coming from your internal server should be snated to the outward wan ip (the router's internet ip) to then communicate with internet hosts (clients or servers), and packets coming from internet (clients or servers) will be snated to the router's lan ip to then communicate with hosts on your lan (such as your internal server). Dnat is more rarely used.
    – Olivier Dulac
    Dec 15 '17 at 23:11











  • When you masquerade, the router masquerades as your internal server, so packets trying to reach the server just needs to reach the router's ip (without msaquerading, the internet send things to the router ip and the router then dnat to the appropriate internet server)
    – Olivier Dulac
    Dec 15 '17 at 23:15
















  • You seem to assume snat is on the lan side and dnat on the wan (internet) side, but no, it means the [s]ource side and the [d]estination side. Packets coming from your internal server should be snated to the outward wan ip (the router's internet ip) to then communicate with internet hosts (clients or servers), and packets coming from internet (clients or servers) will be snated to the router's lan ip to then communicate with hosts on your lan (such as your internal server). Dnat is more rarely used.
    – Olivier Dulac
    Dec 15 '17 at 23:11











  • When you masquerade, the router masquerades as your internal server, so packets trying to reach the server just needs to reach the router's ip (without msaquerading, the internet send things to the router ip and the router then dnat to the appropriate internet server)
    – Olivier Dulac
    Dec 15 '17 at 23:15















You seem to assume snat is on the lan side and dnat on the wan (internet) side, but no, it means the [s]ource side and the [d]estination side. Packets coming from your internal server should be snated to the outward wan ip (the router's internet ip) to then communicate with internet hosts (clients or servers), and packets coming from internet (clients or servers) will be snated to the router's lan ip to then communicate with hosts on your lan (such as your internal server). Dnat is more rarely used.
– Olivier Dulac
Dec 15 '17 at 23:11





You seem to assume snat is on the lan side and dnat on the wan (internet) side, but no, it means the [s]ource side and the [d]estination side. Packets coming from your internal server should be snated to the outward wan ip (the router's internet ip) to then communicate with internet hosts (clients or servers), and packets coming from internet (clients or servers) will be snated to the router's lan ip to then communicate with hosts on your lan (such as your internal server). Dnat is more rarely used.
– Olivier Dulac
Dec 15 '17 at 23:11













When you masquerade, the router masquerades as your internal server, so packets trying to reach the server just needs to reach the router's ip (without msaquerading, the internet send things to the router ip and the router then dnat to the appropriate internet server)
– Olivier Dulac
Dec 15 '17 at 23:15




When you masquerade, the router masquerades as your internal server, so packets trying to reach the server just needs to reach the router's ip (without msaquerading, the internet send things to the router ip and the router then dnat to the appropriate internet server)
– Olivier Dulac
Dec 15 '17 at 23:15










1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted










Both SNAT and DNAT do address translation both for incoming and outgoing packages, using the connection tracking (conntrack) facility of the kernel. So if the kernel detects that a packet in the reverse direction belongs to a NATed connection, it will do the reverse translation automatically, without a special rule for it.



That's why e.g. a single SNAT rule is enough (though it doesn't hurt if you have a DNAT rule for the other direction).



And yes, MASQUERADE is basically SNAT with the address taken from the interface. To quote man iptables-extensions:




Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down.




BTW, I find it simpler to remember that SNAT = Source NAT (changes the source address of the packet), and DNAT = Destination NAT (changes the destination address of the packet).



Edit



(Normally, you should ask new questions as a separate question).



netstat only shows connections between applications running on the local computer, and other hosts. It doesn't show the kernel connection tracking, you can find information about this in /proc (e.g. /proc/net/nf_conntrack) of with additional utilities from the conntrack package.



The networking layer doesn't know anything about "users". A connection consists of the source address, the source port, the destination address, and the destination port. That's all the networking layer knows about. It does NAT (Network Address Translation) by replacing the source/destination address, and also by replacing the destination/source (i.e., local) port number with some other number if that port is already in use.



So two users on different hosts with identical ports (on their machine) that are noth NATed will get different ports on the NATing host. Two users on the same machine will always use different local ports in the first place, so that is never a problem. The same if one user opens two connections at once.






share|improve this answer






















  • Thanks for your reply and the tips about how to remember SNAT/DNAT is verify helpful! I'm curious about how to capture the forward connections using netstat command, but when I do netstat -nat, I can't find anything for the forwarded connections,can you tell me how to achive this ?
    – Frio
    Dec 15 '17 at 8:07











  • I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
    – Frio
    Dec 15 '17 at 8:38






  • 1




    @Frio The conntrack tool can be installed to report on the tracked connections and their states. conntrack isn't all NAT though so you would use options to report on those connections that are hitting the NAT rules.
    – Matt
    Dec 15 '17 at 8:51










  • Thank you verfy much for your reply!! I will have a try about this tool immediatly, it's very cool. Can you help to answer the second quesion in the comment please?
    – Frio
    Dec 15 '17 at 9:05










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f410995%2fa-little-doubt-about-masquerade-and-snat-dnat%23new-answer', 'question_page');

);

Post as a guest






























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote



accepted










Both SNAT and DNAT do address translation both for incoming and outgoing packages, using the connection tracking (conntrack) facility of the kernel. So if the kernel detects that a packet in the reverse direction belongs to a NATed connection, it will do the reverse translation automatically, without a special rule for it.



That's why e.g. a single SNAT rule is enough (though it doesn't hurt if you have a DNAT rule for the other direction).



And yes, MASQUERADE is basically SNAT with the address taken from the interface. To quote man iptables-extensions:




Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down.




BTW, I find it simpler to remember that SNAT = Source NAT (changes the source address of the packet), and DNAT = Destination NAT (changes the destination address of the packet).



Edit



(Normally, you should ask new questions as a separate question).



netstat only shows connections between applications running on the local computer, and other hosts. It doesn't show the kernel connection tracking, you can find information about this in /proc (e.g. /proc/net/nf_conntrack) of with additional utilities from the conntrack package.



The networking layer doesn't know anything about "users". A connection consists of the source address, the source port, the destination address, and the destination port. That's all the networking layer knows about. It does NAT (Network Address Translation) by replacing the source/destination address, and also by replacing the destination/source (i.e., local) port number with some other number if that port is already in use.



So two users on different hosts with identical ports (on their machine) that are noth NATed will get different ports on the NATing host. Two users on the same machine will always use different local ports in the first place, so that is never a problem. The same if one user opens two connections at once.






share|improve this answer






















  • Thanks for your reply and the tips about how to remember SNAT/DNAT is verify helpful! I'm curious about how to capture the forward connections using netstat command, but when I do netstat -nat, I can't find anything for the forwarded connections,can you tell me how to achive this ?
    – Frio
    Dec 15 '17 at 8:07











  • I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
    – Frio
    Dec 15 '17 at 8:38






  • 1




    @Frio The conntrack tool can be installed to report on the tracked connections and their states. conntrack isn't all NAT though so you would use options to report on those connections that are hitting the NAT rules.
    – Matt
    Dec 15 '17 at 8:51










  • Thank you verfy much for your reply!! I will have a try about this tool immediatly, it's very cool. Can you help to answer the second quesion in the comment please?
    – Frio
    Dec 15 '17 at 9:05














up vote
1
down vote



accepted










Both SNAT and DNAT do address translation both for incoming and outgoing packages, using the connection tracking (conntrack) facility of the kernel. So if the kernel detects that a packet in the reverse direction belongs to a NATed connection, it will do the reverse translation automatically, without a special rule for it.



That's why e.g. a single SNAT rule is enough (though it doesn't hurt if you have a DNAT rule for the other direction).



And yes, MASQUERADE is basically SNAT with the address taken from the interface. To quote man iptables-extensions:




Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down.




BTW, I find it simpler to remember that SNAT = Source NAT (changes the source address of the packet), and DNAT = Destination NAT (changes the destination address of the packet).



Edit



(Normally, you should ask new questions as a separate question).



netstat only shows connections between applications running on the local computer, and other hosts. It doesn't show the kernel connection tracking, you can find information about this in /proc (e.g. /proc/net/nf_conntrack) of with additional utilities from the conntrack package.



The networking layer doesn't know anything about "users". A connection consists of the source address, the source port, the destination address, and the destination port. That's all the networking layer knows about. It does NAT (Network Address Translation) by replacing the source/destination address, and also by replacing the destination/source (i.e., local) port number with some other number if that port is already in use.



So two users on different hosts with identical ports (on their machine) that are noth NATed will get different ports on the NATing host. Two users on the same machine will always use different local ports in the first place, so that is never a problem. The same if one user opens two connections at once.






share|improve this answer






















  • Thanks for your reply and the tips about how to remember SNAT/DNAT is verify helpful! I'm curious about how to capture the forward connections using netstat command, but when I do netstat -nat, I can't find anything for the forwarded connections,can you tell me how to achive this ?
    – Frio
    Dec 15 '17 at 8:07











  • I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
    – Frio
    Dec 15 '17 at 8:38






  • 1




    @Frio The conntrack tool can be installed to report on the tracked connections and their states. conntrack isn't all NAT though so you would use options to report on those connections that are hitting the NAT rules.
    – Matt
    Dec 15 '17 at 8:51










  • Thank you verfy much for your reply!! I will have a try about this tool immediatly, it's very cool. Can you help to answer the second quesion in the comment please?
    – Frio
    Dec 15 '17 at 9:05












up vote
1
down vote



accepted







up vote
1
down vote



accepted






Both SNAT and DNAT do address translation both for incoming and outgoing packages, using the connection tracking (conntrack) facility of the kernel. So if the kernel detects that a packet in the reverse direction belongs to a NATed connection, it will do the reverse translation automatically, without a special rule for it.



That's why e.g. a single SNAT rule is enough (though it doesn't hurt if you have a DNAT rule for the other direction).



And yes, MASQUERADE is basically SNAT with the address taken from the interface. To quote man iptables-extensions:




Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down.




BTW, I find it simpler to remember that SNAT = Source NAT (changes the source address of the packet), and DNAT = Destination NAT (changes the destination address of the packet).



Edit



(Normally, you should ask new questions as a separate question).



netstat only shows connections between applications running on the local computer, and other hosts. It doesn't show the kernel connection tracking, you can find information about this in /proc (e.g. /proc/net/nf_conntrack) of with additional utilities from the conntrack package.



The networking layer doesn't know anything about "users". A connection consists of the source address, the source port, the destination address, and the destination port. That's all the networking layer knows about. It does NAT (Network Address Translation) by replacing the source/destination address, and also by replacing the destination/source (i.e., local) port number with some other number if that port is already in use.



So two users on different hosts with identical ports (on their machine) that are noth NATed will get different ports on the NATing host. Two users on the same machine will always use different local ports in the first place, so that is never a problem. The same if one user opens two connections at once.






share|improve this answer














Both SNAT and DNAT do address translation both for incoming and outgoing packages, using the connection tracking (conntrack) facility of the kernel. So if the kernel detects that a packet in the reverse direction belongs to a NATed connection, it will do the reverse translation automatically, without a special rule for it.



That's why e.g. a single SNAT rule is enough (though it doesn't hurt if you have a DNAT rule for the other direction).



And yes, MASQUERADE is basically SNAT with the address taken from the interface. To quote man iptables-extensions:




Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down.




BTW, I find it simpler to remember that SNAT = Source NAT (changes the source address of the packet), and DNAT = Destination NAT (changes the destination address of the packet).



Edit



(Normally, you should ask new questions as a separate question).



netstat only shows connections between applications running on the local computer, and other hosts. It doesn't show the kernel connection tracking, you can find information about this in /proc (e.g. /proc/net/nf_conntrack) of with additional utilities from the conntrack package.



The networking layer doesn't know anything about "users". A connection consists of the source address, the source port, the destination address, and the destination port. That's all the networking layer knows about. It does NAT (Network Address Translation) by replacing the source/destination address, and also by replacing the destination/source (i.e., local) port number with some other number if that port is already in use.



So two users on different hosts with identical ports (on their machine) that are noth NATed will get different ports on the NATing host. Two users on the same machine will always use different local ports in the first place, so that is never a problem. The same if one user opens two connections at once.







share|improve this answer














share|improve this answer



share|improve this answer








edited Dec 15 '17 at 9:34

























answered Dec 15 '17 at 7:43









dirkt

14.2k2931




14.2k2931











  • Thanks for your reply and the tips about how to remember SNAT/DNAT is verify helpful! I'm curious about how to capture the forward connections using netstat command, but when I do netstat -nat, I can't find anything for the forwarded connections,can you tell me how to achive this ?
    – Frio
    Dec 15 '17 at 8:07











  • I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
    – Frio
    Dec 15 '17 at 8:38






  • 1




    @Frio The conntrack tool can be installed to report on the tracked connections and their states. conntrack isn't all NAT though so you would use options to report on those connections that are hitting the NAT rules.
    – Matt
    Dec 15 '17 at 8:51










  • Thank you verfy much for your reply!! I will have a try about this tool immediatly, it's very cool. Can you help to answer the second quesion in the comment please?
    – Frio
    Dec 15 '17 at 9:05
















  • Thanks for your reply and the tips about how to remember SNAT/DNAT is verify helpful! I'm curious about how to capture the forward connections using netstat command, but when I do netstat -nat, I can't find anything for the forwarded connections,can you tell me how to achive this ?
    – Frio
    Dec 15 '17 at 8:07











  • I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
    – Frio
    Dec 15 '17 at 8:38






  • 1




    @Frio The conntrack tool can be installed to report on the tracked connections and their states. conntrack isn't all NAT though so you would use options to report on those connections that are hitting the NAT rules.
    – Matt
    Dec 15 '17 at 8:51










  • Thank you verfy much for your reply!! I will have a try about this tool immediatly, it's very cool. Can you help to answer the second quesion in the comment please?
    – Frio
    Dec 15 '17 at 9:05















Thanks for your reply and the tips about how to remember SNAT/DNAT is verify helpful! I'm curious about how to capture the forward connections using netstat command, but when I do netstat -nat, I can't find anything for the forwarded connections,can you tell me how to achive this ?
– Frio
Dec 15 '17 at 8:07





Thanks for your reply and the tips about how to remember SNAT/DNAT is verify helpful! I'm curious about how to capture the forward connections using netstat command, but when I do netstat -nat, I can't find anything for the forwarded connections,can you tell me how to achive this ?
– Frio
Dec 15 '17 at 8:07













I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
– Frio
Dec 15 '17 at 8:38




I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
– Frio
Dec 15 '17 at 8:38




1




1




@Frio The conntrack tool can be installed to report on the tracked connections and their states. conntrack isn't all NAT though so you would use options to report on those connections that are hitting the NAT rules.
– Matt
Dec 15 '17 at 8:51




@Frio The conntrack tool can be installed to report on the tracked connections and their states. conntrack isn't all NAT though so you would use options to report on those connections that are hitting the NAT rules.
– Matt
Dec 15 '17 at 8:51












Thank you verfy much for your reply!! I will have a try about this tool immediatly, it's very cool. Can you help to answer the second quesion in the comment please?
– Frio
Dec 15 '17 at 9:05




Thank you verfy much for your reply!! I will have a try about this tool immediatly, it's very cool. Can you help to answer the second quesion in the comment please?
– Frio
Dec 15 '17 at 9:05












 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f410995%2fa-little-doubt-about-masquerade-and-snat-dnat%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?