This table should only be used for NAT
(Network Address Translation) on different packets. In other words, it should
only be used to translate the packet's source field or destination field.
Note that,
as we have said before, only the first packet in a stream will hit this table.
After this, the rest of the packets will automatically have the same
action taken on them as the first packet. The actual targets that do
these kind of things are:
DNAT
SNAT
MASQUERADE
REDIRECT
The DNAT target is mainly used in cases where you
have a public IP and want to redirect accesses to the firewall to some
other host (on a DMZ for example). In other words,
we change the destination address of the packet and reroute it to the host.
SNAT is mainly used
for changing the source address of packets. For the most part you'll hide
your local networks or DMZ, etc. A very good example
would be that of a firewall of which we know outside IP address, but
need to substitute our local network's IP numbers with that of our firewall.
With this target the firewall will automatically SNAT
and De-SNAT the packets, hence making it possible to make
connections from the LAN to the Internet. If your
network uses 192.168.0.0/netmask for example, the packets would never get back
from the Internet, because IANA has regulated these networks (among
others) as private and only for use in isolated LANs.
The MASQUERADE target is used in exactly the same way as
SNAT, but the MASQUERADE target takes a
little bit more overhead to compute. The reason for this, is that each time
that the MASQUERADE target gets hit by a packet, it
automatically checks for the IP address to use, instead of doing as the
SNAT target does - just using the single configured IP
address. The MASQUERADE target makes it possible to work
properly with Dynamic DHCP IP addresses that your ISP
might provide for your PPP, PPPoE or
SLIP connections to the Internet.
