I think that the diff between MASQUERADE and SNAT is that when you do MASQUERADE and there are conntrack entries for certain connections and your interface goes down and comes up again with a different IP then those conntrack entries would still be valid for this new IP; as opposed to SNAT which statically binds one end of the conntrack entry to the --to argument.
However, I know of many cases where you explicitly want to SNAT to an IP which does not have to be the IP of the outgoing interface. That's where SNAT shows its full strength. Now, _if_ this assumption is correct, the next question would be: what is the harm of always and only doing MASQUERADE when masquerading is the required action, ie, snatting to the IP of the outgoing interface? Ramin On Fri, May 03, 2002 at 05:05:53PM +0200, Markus Sj?str?m wrote: > i've set my NAT up and everything is working good. > > i was adviced by a friend (quite experienced with linux) to > use the -j MASQUERADE command. but the howto > says i should use SNAT instead if i have a static ip. > > i write the following command to get my NAT to work: > > "iptables -t nat -A POSTROUTING -s 192.168.0.2/255.255.255.255 -o eth0 -j MASQUERADE" > > I would like to what the -j MASQUERADE does if i have a static ip, can something go >wrong? > Please make me smarter! :-) > > Regards > Markus
