Linux – What is MASQUERADE Made For?


A simple redirection is used on my server, with iptables rules :

$ iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination

$ iptables -t nat -A POSTROUTING -j MASQUERADE

I dont understand the utility of the second line (masquerade).
Why/WhatFor is it useful in this example ?

Why – not theorically, but IRL – would you use it in such an example ?


Best Answer

MASQUERADE does what the name suggests: It hides everything “behind” the host. You’d do that to supply Internet to multiple hosts when you only have one uplink IP address. This tech is used on most consumer-grade Internet access routers, dubbed “NAT”.

When host A contacts server S via MASQUERADEing router R, the server won’t be able to see the connection originates from host A. Instead, to the server it looks like it’s communicating with router R. Router R however knows this connection was originally from host A and will forward messages accordingly. Host A knows it connected to server S and that server S sent the response.

In IPTables, you’d usually use this only on the Internet-facing interface. Something like that:


Meaning that every IP packet that was routed and leaves through eth0 will get the treatment.

When used in your example, it looks to (host S) as if your machine (henceforth host Y) initiated the connection. That means the response will reach host Y which forwards it to the real destination (host A). To host A, it will look as if the message came from host Y. It cannot see or know that host S actually sent it, because MASQUERADE works both ways here.

If you do not use this rule, host S will see a message that originated from host A. It will thus send the response directly to host A. Host A, however, does not know host S. It connected to host Y and expects a response from there. As such, the response from host S is treated as unsolicited traffic and discarded. The connection will time out.

Related Question