Home /
Memorize/
Linux things/
Networking/
Masquerading vs routing/
    Chat
    [#--USER--]
    Login
    More
    **Masquerading with `iptables`** and **setting routes** are related but serve different purposes in networking. Let me explain the key differences:
     
    ---
     
    ## **1. Routes vs. Masquerading (NAT)**
    | Feature | **Routing (ip route)** | **Masquerading (iptables -t nat)** |
    |---------|----------------------|-------------------------------|
    | **Purpose** | Determines **where traffic goes** (next hop). | Modifies **how traffic appears** (source IP, port). |
    | **Layer** | **Layer 3 (Network)** | **Layer 3 + Layer 4 (Transport)** |
    | **Example** | `ip route add 10.0.0.0/24 via 192.168.1.1` | `iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE` |
    | **Use Case** | Directs traffic to the correct gateway. | Hides internal IPs (e.g., for Internet sharing). |
     
    ---
     
    ## **2. Key Differences**
    ### **Routing (ip route)**
    - **Decides the path** for packets (e.g., "Send traffic to `192.168.1.1` for the Internet").
    - Works at **Layer 3 (IP level)**.
    - Does **not modify packet headers** (just forwards them).
     
    ### **Masquerading (iptables -t nat)**
    - **Modifies packet headers** (e.g., replaces your internal IP with the router's IP).
    - Used for **Network Address Translation (NAT)**.
    - Works at **Layer 3 + Layer 4 (IP + Port level)**.
    - Commonly used for:
      - **Sharing Internet** (e.g., a router forwarding traffic from LAN to WAN).
      - **Hiding internal IPs** (security/privacy).
     
    ---
     
    ## **3. When Are They Used Together?**
    - **Routing** tells the system **where to send traffic**.
    - **Masquerading** then **rewrites the source IP** before sending it out.
     
    ### **Example: Home Router Setup**
    1. **Routing**:
       - Your device has a route: `default via 192.168.1.1` (Wi-Fi gateway).
    2. **Masquerading**:
       - The router runs:
         ```sh
         iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
         ```
       - This replaces your device's IP (`192.168.1.40`) with the router's public IP (`203.0.113.1`) before sending traffic to the Internet.
     
    ---
     
    ## **4. Can Masquerading Replace Routing?**
    - **No!** Masquerading **depends on routing** to know where to send traffic.
    - Masquerading **only modifies packets**—it doesn’t decide the path.
     
    ### **Analogy**
    - **Routing** is like a **postal service** deciding where to send a letter.
    - **Masquerading** is like **rewriting the return address** on the envelope before sending it.
     
    ---
     
    ## **5. Practical Example**
    ### **Scenario: Sharing Internet via Ethernet**
    1. **Set up routing** on the client:
       ```sh
       ip route add default via 10.0.0.1 dev eth0
       ```
       (Tells the client to send all traffic to `10.0.0.1`.)
     
    2. **Enable masquerading** on the router (Linux machine with two NICs):
       ```sh
       iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
       ```
       (Rewrites the source IP of outgoing traffic to the router’s public IP.)
     
    ---
     
    ## **6. Conclusion**
    - **Routing** = **Path selection** (where traffic goes).
    - **Masquerading** = **Packet modification** (how traffic appears).
    - They **work together** but are **not the same**.