Difference between SNAT and Masquerade

The SNAT target requires you to give it an IP address to apply to all the outgoing packets. The MASQUERADE target lets you give it an interface, and whatever address is on that interface is the address that is applied to all the outgoing packets. In addition, with SNAT, the kernel's connection tracking keeps track of all the connections when the interface is taken down and brought back up; the same is not true for the MASQUERADE target.

Good documents include the HOWTOs on the Netfilter site and the iptables man page.

SNAT and MASQUERADE do the same source NAT thingy in the nat table within the POSTROUTING chain.

Differences

• MASQUERADE does NOT require --to-source as it was made to work with dynamically assigned IPs

• SNAT works ONLY with static IPs, that's why it requires --to-source

• MASQUERADE incurs extra overhead and is slower than SNAT because each time MASQUERADE target gets hit by a packet, it has to check for the IP address to use.

NOTE: A typical use case for MASQUERADE: AWS EC2 instance in a VPC, it has a private IP within the VPC CIDR (e.g. 10.10.1.0/24) - 10.10.1.100 for example, it also has a public IP associated with it so as to communicate with the Internet (assume it is in a public subnet) through which the private IP does 1:1 NAT (AWS Network Infrastructure magic). The public IP may change after instance power cycles - stop then start (if NOT an EIP), MASQUERADE is a better option in this use case.

Important: It is still possible to use MASQUERADE target with static IP, just be aware of the extra overhead.

References

• iptables Tutorial

• NAT Tutorial

• New iptables Gotchas - SNAT VS MASQUERADE