3

A simple redirection is used on my server, with iptables rules :

$ iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 13.37.42.1:80

$ iptables -t nat -A POSTROUTING -j MASQUERADE

I dont understand the utility of the second line (masquerade). Why/WhatFor is it useful in this example ?

EDIT : Why - not theorically, but IRL - would you use it in such an example ?

Thanks

Improve this question
2
  • Are you sure there’s no interface specification on the MASQUERADE rule?
    – Daniel B
    Commented Jul 3, 2015 at 14:26
  • I dont understand them. I d like to get a pragmatic feedback from real users of it. Generally, why do u use it ? ... Specs, docs, has not help me to understand anything but theory.
    – ArchiT3K
    Commented Jul 3, 2015 at 14:30

1 Answer 1

Reset to default
13

MASQUERADE does what the name suggests: It hides everything “behind” the host. You’d do that to supply Internet to multiple hosts when you only have one uplink IP address. This tech is used on most consumer-grade Internet access routers, dubbed “NAT”.

When host A contacts server S via MASQUERADEing router R, the server won’t be able to see the connection originates from host A. Instead, to the server it looks like it’s communicating with router R. Router R however knows this connection was originally from host A and will forward messages accordingly. Host A knows it connected to server S and that server S sent the response.

In IPTables, you’d usually use this only on the Internet-facing interface. Something like that:

-t nat -A POSTROUTING -o eth0 -j MASQUERADE

Meaning that every IP packet that was routed and leaves through eth0 will get the treatment.

When used in your example, it looks to 13.37.42.1 (host S) as if your machine (henceforth host Y) initiated the connection. That means the response will reach host Y which forwards it to the real destination (host A). To host A, it will look as if the message came from host Y. It cannot see or know that host S actually sent it, because MASQUERADE works both ways here.

If you do not use this rule, host S will see a message that originated from host A. It will thus send the response directly to host A. Host A, however, does not know host S. It connected to host Y and expects a response from there. As such, the response from host S is treated as unsolicited traffic and discarded. The connection will time out.

Improve this answer
2
  • Does MASQUERADE automatically use the conntrack module to track response packets? I see lots of tutorials not mentioningg the usage of conntrack after adding the MASQUERADE target, but it seems the conntrack would have to be involved to deal with inverse-mapping the response packets. Furthermore, are new TCP connection packets from server S considered RELATED packets to the initial connection or are they NEW packets instead and therefore would be blocked.
    – CMCDragonkai
    Commented Mar 18, 2022 at 6:44
  • conntrack is used in the FORWARD chain to open the firewall for these connections. Otherwise the FORWARD chain's default behavior is DROP, the packet just don't get though the router. So all the work with SNAT, DNAT or MASQUERADE was useless.
    – Axel Heider
    Commented Aug 25, 2022 at 14:18

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .