0

What is the advantage/disadvantage between below 2 commands:

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/16 -j MASQUERADE

AND

iptables -t nat -A POSTROUTING -j MASQUERADE

Some Background why this question has arisen:

I had raised a question AWS VPC + IPtables + NAT: Port Forwarding is not working and I got it working only by making this change.

Hence this question.

UPDATE:

After seeing the down votes (with the mighty down voters too busy to comment why they are down voting), I have edited the question a little bit. I see that people just take the English word's literal meaning and don't bother understanding the essence of it. Hence I had to edit the question.

Also, it is a shameful act if you do not reason why you down vote. This way the OP will never get a chance to improve his post OR know what is wrong with the post.

Community
  • 1
slayedbylucifer
  • 504
  • 3
  • 7
  • 24
  • 2
    Hey there you coward downvoter...don't you have guts to leave a comment why you are downvoting... – slayedbylucifer Jan 29 '14 at 08:07
  • Probably because it's plainly obvious what the difference is (I am not one of the downvotes). The first rule applies only to packets with an "inside" address leaving on eth0; the second rule matches everything (and also masquerades incoming traffic). – Falcon Momot Jan 30 '14 at 00:35

2 Answers2

5

This command

iptables -t nat -A POSTROUTING -j MASQUERADE

Is very overly broad because it is going to do NAT on every connection routed through this box irrespective of the source/destination. You should almost never use this rule without some other rules in place to limit it to a particular direction. This overly broad rule is almost never the right answer.

As to why it addressed the symptoms in your previous problem. By using NAT for everything you will hide mis-configuration of your routing. Since the machines on either side of the the device with this overly broad rule will basically think they are communicating with the firewall.

Since your problem appeared to be about an incoming connection you should also understand that using a rule like this is going to hide the source address of the incoming packets. Meaning any logs you keep will be worthless, since all they will do is log the IP of your firewall as the source address.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • Thanks. So per you input, I modified my rule a bit and now `iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE` is working but it would still be a broad rule per you suggestions. If I put `iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/16 -j MASQUERADE`, then it isn't working. If I add a `-s 10.0.0.0/16` to the rule which will restrict it to this specific IP range, then the rule does not work. So I am only left with using the broad rule. I don't know whether this is good. Could you imagine what else should I put to make my rule restrictive. Thanks for your time. +1. – slayedbylucifer Jan 29 '14 at 08:31
  • I think you missed the bolded portion of my question. With the limited information I have seen from your various questions I don't think you need that rule at all for an incoming connection. I think you need to **fix your routing**. But your other question didn't include any details about your routing, so nobody can tell you what to fix/change. – Zoredache Jan 29 '14 at 17:14
  • I have dumped whatever I could regarding the VPC setup in the question I linked in my post. Regarding the routing info, AWS VPC handles that and I have no control over it neither I know how it works behind the curtains. I highly appreciate your time and explanation. I am researching further and if I fail to find anything meaningful, I shall be accepting this answer. – slayedbylucifer Jan 30 '14 at 03:43
3

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/16 -j MASQUERADE

Only match packets outgoing via eth0 and with source address 10.0.0.0/16. NAT them with default IP of interface eth0.

iptables -t nat -A POSTROUTING -j MASQUERADE

match packets outgoing via any interface with any address, NAT them via default outgoing interface IP.

Bartłomiej Zarzecki
  • 1,726
  • 1
  • 13
  • 17