Aug 18, 2011
tom

What is the difference between a Source NAT, Destination NAT and Masquerading?

Question

What is the difference between a Source NAT, Destination NAT and Masquerading?

For example, I thought IP Masqurading was what they used to call it in Linux?
But what confuses me is that in our Astaro firewall there is IP Masquarading as well as NAT options. What’s the difference between all these?

Answer

Source NAT changes the source address in IP header of a packet. It may also change the source port in the TCP/UDP headers. The typical usage is to change the a private (rfc1918) address/port into a public address/port for packets leaving your network.

Destination NAT changes the destination address in IP header of a packet. It may also change the destination port in the TCP/UDP headers.The typical usage of this is to redirect incoming packets with a destination of a public address/port to a private IP address/port inside your network.

Masquerading is a special form of Source NAT where the source address is unknown at the time the rule is added to the tables in the kernel. If you want to allow hosts with private address behind your firewall to access the Internet and the external address is variable (DHCP) this is what you need to use. Masquerading will modify the source IP address and port of the packet to be the primary IP address assigned to the outgoing interface. If your outgoing interface has a address that is static, then you don’t need to use MASQ and can use SNAT which will be a little faster since it doesn’t need to figure out what the external IP is every time.

Related posts:

  1. Linux IPTables Destination NAT with Asymmetrical Routing?
  2. What ‘exactly’ does NETfilter/iptables do when you enable forwarding and masquerading
  3. Does NAT change the source MAC address?
  4. Firewalls: What is the difference between Policy, NAT and Routes?
  5. Get source and destination of outbound traffic in pfSense

Leave a comment