A little doubt about MASQUERADE and SNAT/DNAT
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I know what SNAT and DNAT means.
And I know when I want to config a local net server open service to internet, I should use:
- SNAT to help to change the packets coming from local net server to the router's address.
- DNAT to help to change the packets coming from internet to the local net ip of the server
But when we share network using MASQUERADE, we don't need to config the DNAT for these packets coming from internet. Some articles says the MASQUERADE is the same as SNAT except for auto find router's external ip.But why MASQUERADE doesn't need the DNAT configuration? And suppose MASUQERADE can do these thing for us, why iptables doesn't auto set SNAT for us when we set DNAT?
Edit
I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
iptables
asked Dec 15 '17 at 7:11
Frio
84
add a comment |Â
up vote
1
down vote
favorite
I know what SNAT and DNAT means.
And I know when I want to config a local net server open service to internet, I should use:
- SNAT to help to change the packets coming from local net server to the router's address.
- DNAT to help to change the packets coming from internet to the local net ip of the server
But when we share network using MASQUERADE, we don't need to config the DNAT for these packets coming from internet. Some articles says the MASQUERADE is the same as SNAT except for auto find router's external ip.But why MASQUERADE doesn't need the DNAT configuration? And suppose MASUQERADE can do these thing for us, why iptables doesn't auto set SNAT for us when we set DNAT?
Edit
I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
iptables
asked Dec 15 '17 at 7:11
Frio
84
You seem to assume snat is on the lan side and dnat on the wan (internet) side, but no, it means the [s]ource side and the [d]estination side. Packets coming from your internal server should be snated to the outward wan ip (the router's internet ip) to then communicate with internet hosts (clients or servers), and packets coming from internet (clients or servers) will be snated to the router's lan ip to then communicate with hosts on your lan (such as your internal server). Dnat is more rarely used.
– Olivier Dulac
Dec 15 '17 at 23:11
When you masquerade, the router masquerades as your internal server, so packets trying to reach the server just needs to reach the router's ip (without msaquerading, the internet send things to the router ip and the router then dnat to the appropriate internet server)
– Olivier Dulac
Dec 15 '17 at 23:15
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I know what SNAT and DNAT means.
And I know when I want to config a local net server open service to internet, I should use:
- SNAT to help to change the packets coming from local net server to the router's address.
- DNAT to help to change the packets coming from internet to the local net ip of the server
But when we share network using MASQUERADE, we don't need to config the DNAT for these packets coming from internet. Some articles says the MASQUERADE is the same as SNAT except for auto find router's external ip.But why MASQUERADE doesn't need the DNAT configuration? And suppose MASUQERADE can do these thing for us, why iptables doesn't auto set SNAT for us when we set DNAT?
Edit
I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
iptables
asked Dec 15 '17 at 7:11
Frio
84
I know what SNAT and DNAT means.
And I know when I want to config a local net server open service to internet, I should use:
- SNAT to help to change the packets coming from local net server to the router's address.
- DNAT to help to change the packets coming from internet to the local net ip of the server
But when we share network using MASQUERADE, we don't need to config the DNAT for these packets coming from internet. Some articles says the MASQUERADE is the same as SNAT except for auto find router's external ip.But why MASQUERADE doesn't need the DNAT configuration? And suppose MASUQERADE can do these thing for us, why iptables doesn't auto set SNAT for us when we set DNAT?
Edit
I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
iptables
asked Dec 15 '17 at 7:11
Frio
84
edited Dec 15 '17 at 9:42
asked Dec 15 '17 at 7:11
Frio
84
asked Dec 15 '17 at 7:11
Frio
84
asked Dec 15 '17 at 7:11
Frio
84
84
You seem to assume snat is on the lan side and dnat on the wan (internet) side, but no, it means the [s]ource side and the [d]estination side. Packets coming from your internal server should be snated to the outward wan ip (the router's internet ip) to then communicate with internet hosts (clients or servers), and packets coming from internet (clients or servers) will be snated to the router's lan ip to then communicate with hosts on your lan (such as your internal server). Dnat is more rarely used.
– Olivier Dulac
Dec 15 '17 at 23:11
When you masquerade, the router masquerades as your internal server, so packets trying to reach the server just needs to reach the router's ip (without msaquerading, the internet send things to the router ip and the router then dnat to the appropriate internet server)
– Olivier Dulac
Dec 15 '17 at 23:15
add a comment |Â
You seem to assume snat is on the lan side and dnat on the wan (internet) side, but no, it means the [s]ource side and the [d]estination side. Packets coming from your internal server should be snated to the outward wan ip (the router's internet ip) to then communicate with internet hosts (clients or servers), and packets coming from internet (clients or servers) will be snated to the router's lan ip to then communicate with hosts on your lan (such as your internal server). Dnat is more rarely used.
– Olivier Dulac
Dec 15 '17 at 23:11
When you masquerade, the router masquerades as your internal server, so packets trying to reach the server just needs to reach the router's ip (without msaquerading, the internet send things to the router ip and the router then dnat to the appropriate internet server)
– Olivier Dulac
Dec 15 '17 at 23:15
You seem to assume snat is on the lan side and dnat on the wan (internet) side, but no, it means the [s]ource side and the [d]estination side. Packets coming from your internal server should be snated to the outward wan ip (the router's internet ip) to then communicate with internet hosts (clients or servers), and packets coming from internet (clients or servers) will be snated to the router's lan ip to then communicate with hosts on your lan (such as your internal server). Dnat is more rarely used.
– Olivier Dulac
Dec 15 '17 at 23:11
You seem to assume snat is on the lan side and dnat on the wan (internet) side, but no, it means the [s]ource side and the [d]estination side. Packets coming from your internal server should be snated to the outward wan ip (the router's internet ip) to then communicate with internet hosts (clients or servers), and packets coming from internet (clients or servers) will be snated to the router's lan ip to then communicate with hosts on your lan (such as your internal server). Dnat is more rarely used.
– Olivier Dulac
Dec 15 '17 at 23:11
When you masquerade, the router masquerades as your internal server, so packets trying to reach the server just needs to reach the router's ip (without msaquerading, the internet send things to the router ip and the router then dnat to the appropriate internet server)
– Olivier Dulac
Dec 15 '17 at 23:15
When you masquerade, the router masquerades as your internal server, so packets trying to reach the server just needs to reach the router's ip (without msaquerading, the internet send things to the router ip and the router then dnat to the appropriate internet server)
– Olivier Dulac
Dec 15 '17 at 23:15
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
Both SNAT and DNAT do address translation both for incoming and outgoing packages, using the connection tracking (conntrack) facility of the kernel. So if the kernel detects that a packet in the reverse direction belongs to a NATed connection, it will do the reverse translation automatically, without a special rule for it.
That's why e.g. a single SNAT rule is enough (though it doesn't hurt if you have a DNAT rule for the other direction).
And yes, MASQUERADE is basically SNAT with the address taken from the interface. To quote man iptables-extensions:
Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down.
BTW, I find it simpler to remember that SNAT = Source NAT (changes the source address of the packet), and DNAT = Destination NAT (changes the destination address of the packet).
Edit
(Normally, you should ask new questions as a separate question).
netstat only shows connections between applications running on the local computer, and other hosts. It doesn't show the kernel connection tracking, you can find information about this in /proc (e.g. /proc/net/nf_conntrack) of with additional utilities from the conntrack package.
The networking layer doesn't know anything about "users". A connection consists of the source address, the source port, the destination address, and the destination port. That's all the networking layer knows about. It does NAT (Network Address Translation) by replacing the source/destination address, and also by replacing the destination/source (i.e., local) port number with some other number if that port is already in use.
So two users on different hosts with identical ports (on their machine) that are noth NATed will get different ports on the NATing host. Two users on the same machine will always use different local ports in the first place, so that is never a problem. The same if one user opens two connections at once.
answered Dec 15 '17 at 7:43
dirkt
14.2k2931
Thanks for your reply and the tips about how to remember SNAT/DNAT is verify helpful! I'm curious about how to capture the forward connections using netstat command, but when I do netstat -nat, I can't find anything for the forwarded connections,can you tell me how to achive this ?
– Frio
Dec 15 '17 at 8:07
I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
– Frio
Dec 15 '17 at 8:38
1
@Frio Theconntracktool can be installed to report on the tracked connections and their states.conntrackisn't all NAT though so you would use options to report on those connections that are hitting the NAT rules.
– Matt
Dec 15 '17 at 8:51
Thank you verfy much for your reply!! I will have a try about this tool immediatly, it's very cool. Can you help to answer the second quesion in the comment please?
– Frio
Dec 15 '17 at 9:05
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
Both SNAT and DNAT do address translation both for incoming and outgoing packages, using the connection tracking (conntrack) facility of the kernel. So if the kernel detects that a packet in the reverse direction belongs to a NATed connection, it will do the reverse translation automatically, without a special rule for it.
That's why e.g. a single SNAT rule is enough (though it doesn't hurt if you have a DNAT rule for the other direction).
And yes, MASQUERADE is basically SNAT with the address taken from the interface. To quote man iptables-extensions:
Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down.
BTW, I find it simpler to remember that SNAT = Source NAT (changes the source address of the packet), and DNAT = Destination NAT (changes the destination address of the packet).
Edit
(Normally, you should ask new questions as a separate question).
netstat only shows connections between applications running on the local computer, and other hosts. It doesn't show the kernel connection tracking, you can find information about this in /proc (e.g. /proc/net/nf_conntrack) of with additional utilities from the conntrack package.
The networking layer doesn't know anything about "users". A connection consists of the source address, the source port, the destination address, and the destination port. That's all the networking layer knows about. It does NAT (Network Address Translation) by replacing the source/destination address, and also by replacing the destination/source (i.e., local) port number with some other number if that port is already in use.
So two users on different hosts with identical ports (on their machine) that are noth NATed will get different ports on the NATing host. Two users on the same machine will always use different local ports in the first place, so that is never a problem. The same if one user opens two connections at once.
answered Dec 15 '17 at 7:43
dirkt
14.2k2931
Thanks for your reply and the tips about how to remember SNAT/DNAT is verify helpful! I'm curious about how to capture the forward connections using netstat command, but when I do netstat -nat, I can't find anything for the forwarded connections,can you tell me how to achive this ?
– Frio
Dec 15 '17 at 8:07
I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
– Frio
Dec 15 '17 at 8:38
1
@Frio Theconntracktool can be installed to report on the tracked connections and their states.conntrackisn't all NAT though so you would use options to report on those connections that are hitting the NAT rules.
– Matt
Dec 15 '17 at 8:51
Thank you verfy much for your reply!! I will have a try about this tool immediatly, it's very cool. Can you help to answer the second quesion in the comment please?
– Frio
Dec 15 '17 at 9:05
add a comment |Â
up vote
1
down vote
accepted
Both SNAT and DNAT do address translation both for incoming and outgoing packages, using the connection tracking (conntrack) facility of the kernel. So if the kernel detects that a packet in the reverse direction belongs to a NATed connection, it will do the reverse translation automatically, without a special rule for it.
That's why e.g. a single SNAT rule is enough (though it doesn't hurt if you have a DNAT rule for the other direction).
And yes, MASQUERADE is basically SNAT with the address taken from the interface. To quote man iptables-extensions:
Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down.
BTW, I find it simpler to remember that SNAT = Source NAT (changes the source address of the packet), and DNAT = Destination NAT (changes the destination address of the packet).
Edit
(Normally, you should ask new questions as a separate question).
netstat only shows connections between applications running on the local computer, and other hosts. It doesn't show the kernel connection tracking, you can find information about this in /proc (e.g. /proc/net/nf_conntrack) of with additional utilities from the conntrack package.
The networking layer doesn't know anything about "users". A connection consists of the source address, the source port, the destination address, and the destination port. That's all the networking layer knows about. It does NAT (Network Address Translation) by replacing the source/destination address, and also by replacing the destination/source (i.e., local) port number with some other number if that port is already in use.
So two users on different hosts with identical ports (on their machine) that are noth NATed will get different ports on the NATing host. Two users on the same machine will always use different local ports in the first place, so that is never a problem. The same if one user opens two connections at once.
answered Dec 15 '17 at 7:43
dirkt
14.2k2931
Thanks for your reply and the tips about how to remember SNAT/DNAT is verify helpful! I'm curious about how to capture the forward connections using netstat command, but when I do netstat -nat, I can't find anything for the forwarded connections,can you tell me how to achive this ?
– Frio
Dec 15 '17 at 8:07
I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
– Frio
Dec 15 '17 at 8:38
1
@Frio Theconntracktool can be installed to report on the tracked connections and their states.conntrackisn't all NAT though so you would use options to report on those connections that are hitting the NAT rules.
– Matt
Dec 15 '17 at 8:51
Thank you verfy much for your reply!! I will have a try about this tool immediatly, it's very cool. Can you help to answer the second quesion in the comment please?
– Frio
Dec 15 '17 at 9:05
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
Both SNAT and DNAT do address translation both for incoming and outgoing packages, using the connection tracking (conntrack) facility of the kernel. So if the kernel detects that a packet in the reverse direction belongs to a NATed connection, it will do the reverse translation automatically, without a special rule for it.
That's why e.g. a single SNAT rule is enough (though it doesn't hurt if you have a DNAT rule for the other direction).
And yes, MASQUERADE is basically SNAT with the address taken from the interface. To quote man iptables-extensions:
Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down.
BTW, I find it simpler to remember that SNAT = Source NAT (changes the source address of the packet), and DNAT = Destination NAT (changes the destination address of the packet).
Edit
(Normally, you should ask new questions as a separate question).
netstat only shows connections between applications running on the local computer, and other hosts. It doesn't show the kernel connection tracking, you can find information about this in /proc (e.g. /proc/net/nf_conntrack) of with additional utilities from the conntrack package.
The networking layer doesn't know anything about "users". A connection consists of the source address, the source port, the destination address, and the destination port. That's all the networking layer knows about. It does NAT (Network Address Translation) by replacing the source/destination address, and also by replacing the destination/source (i.e., local) port number with some other number if that port is already in use.
So two users on different hosts with identical ports (on their machine) that are noth NATed will get different ports on the NATing host. Two users on the same machine will always use different local ports in the first place, so that is never a problem. The same if one user opens two connections at once.
answered Dec 15 '17 at 7:43
dirkt
14.2k2931
Both SNAT and DNAT do address translation both for incoming and outgoing packages, using the connection tracking (conntrack) facility of the kernel. So if the kernel detects that a packet in the reverse direction belongs to a NATed connection, it will do the reverse translation automatically, without a special rule for it.
That's why e.g. a single SNAT rule is enough (though it doesn't hurt if you have a DNAT rule for the other direction).
And yes, MASQUERADE is basically SNAT with the address taken from the interface. To quote man iptables-extensions:
Masquerading is equivalent to specifying a mapping to the IP address of
the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down.
BTW, I find it simpler to remember that SNAT = Source NAT (changes the source address of the packet), and DNAT = Destination NAT (changes the destination address of the packet).
Edit
(Normally, you should ask new questions as a separate question).
netstat only shows connections between applications running on the local computer, and other hosts. It doesn't show the kernel connection tracking, you can find information about this in /proc (e.g. /proc/net/nf_conntrack) of with additional utilities from the conntrack package.
The networking layer doesn't know anything about "users". A connection consists of the source address, the source port, the destination address, and the destination port. That's all the networking layer knows about. It does NAT (Network Address Translation) by replacing the source/destination address, and also by replacing the destination/source (i.e., local) port number with some other number if that port is already in use.
So two users on different hosts with identical ports (on their machine) that are noth NATed will get different ports on the NATing host. Two users on the same machine will always use different local ports in the first place, so that is never a problem. The same if one user opens two connections at once.
answered Dec 15 '17 at 7:43
dirkt
14.2k2931
edited Dec 15 '17 at 9:34
answered Dec 15 '17 at 7:43
dirkt
14.2k2931
answered Dec 15 '17 at 7:43
dirkt
14.2k2931
answered Dec 15 '17 at 7:43
dirkt
14.2k2931
14.2k2931
Thanks for your reply and the tips about how to remember SNAT/DNAT is verify helpful! I'm curious about how to capture the forward connections using netstat command, but when I do netstat -nat, I can't find anything for the forwarded connections,can you tell me how to achive this ?
– Frio
Dec 15 '17 at 8:07
I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
– Frio
Dec 15 '17 at 8:38
1
@Frio Theconntracktool can be installed to report on the tracked connections and their states.conntrackisn't all NAT though so you would use options to report on those connections that are hitting the NAT rules.
– Matt
Dec 15 '17 at 8:51
Thank you verfy much for your reply!! I will have a try about this tool immediatly, it's very cool. Can you help to answer the second quesion in the comment please?
– Frio
Dec 15 '17 at 9:05
add a comment |Â
Thanks for your reply and the tips about how to remember SNAT/DNAT is verify helpful! I'm curious about how to capture the forward connections using netstat command, but when I do netstat -nat, I can't find anything for the forwarded connections,can you tell me how to achive this ?
– Frio
Dec 15 '17 at 8:07
I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
– Frio
Dec 15 '17 at 8:38
1
@Frio Theconntracktool can be installed to report on the tracked connections and their states.conntrackisn't all NAT though so you would use options to report on those connections that are hitting the NAT rules.
– Matt
Dec 15 '17 at 8:51
Thank you verfy much for your reply!! I will have a try about this tool immediatly, it's very cool. Can you help to answer the second quesion in the comment please?
– Frio
Dec 15 '17 at 9:05
Thanks for your reply and the tips about how to remember SNAT/DNAT is verify helpful! I'm curious about how to capture the forward connections using netstat command, but when I do netstat -nat, I can't find anything for the forwarded connections,can you tell me how to achive this ?
– Frio
Dec 15 '17 at 8:07
Thanks for your reply and the tips about how to remember SNAT/DNAT is verify helpful! I'm curious about how to capture the forward connections using netstat command, but when I do netstat -nat, I can't find anything for the forwarded connections,can you tell me how to achive this ?
– Frio
Dec 15 '17 at 8:07
I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
– Frio
Dec 15 '17 at 8:38
I just have a new question. Suppose two user in the local net browsing the same web page, and the clients ports that they opened is the same. When the web page server response packages to the router, how does the router know the packages is belonged to which user?
– Frio
Dec 15 '17 at 8:38
1
1
@Frio The
conntrack tool can be installed to report on the tracked connections and their states. conntrack isn't all NAT though so you would use options to report on those connections that are hitting the NAT rules.– Matt
Dec 15 '17 at 8:51
@Frio The
conntrack tool can be installed to report on the tracked connections and their states. conntrack isn't all NAT though so you would use options to report on those connections that are hitting the NAT rules.– Matt
Dec 15 '17 at 8:51
Thank you verfy much for your reply!! I will have a try about this tool immediatly, it's very cool. Can you help to answer the second quesion in the comment please?
– Frio
Dec 15 '17 at 9:05
Thank you verfy much for your reply!! I will have a try about this tool immediatly, it's very cool. Can you help to answer the second quesion in the comment please?
– Frio
Dec 15 '17 at 9:05
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f410995%2fa-little-doubt-about-masquerade-and-snat-dnat%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
You seem to assume snat is on the lan side and dnat on the wan (internet) side, but no, it means the [s]ource side and the [d]estination side. Packets coming from your internal server should be snated to the outward wan ip (the router's internet ip) to then communicate with internet hosts (clients or servers), and packets coming from internet (clients or servers) will be snated to the router's lan ip to then communicate with hosts on your lan (such as your internal server). Dnat is more rarely used.
– Olivier Dulac
Dec 15 '17 at 23:11
When you masquerade, the router masquerades as your internal server, so packets trying to reach the server just needs to reach the router's ip (without msaquerading, the internet send things to the router ip and the router then dnat to the appropriate internet server)
– Olivier Dulac
Dec 15 '17 at 23:15