George Vieira wrote:
What I read was that MASQUERADE should be used for changing IP machines like dialup or DHCP lan workstations etc.. SNAT/DNAT was more for servers with static IPs.
It didn't say why and what things could happen, just that it was good networking to do it that way...
The reason why is that when an interface goes down or changes address,
the connection tracking entries for MASQUERADE targets are flushed,
whereas the connection tracking entries for SNAT targets remain.
So if you have a dynamic IP address, use MASQUERADE, so that the NAT
mappings will be invalidated when the address changes.
But if you have a static IP address, then use SNAT, so that the NAT
mappings remain and the connections are not broken, even if the
interface temporarily goes down.
--
Philip Craig - philipc@xxxxxxxxxxxx - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances