A Linux server is configured as a gateway for a private network (10.0.0.0/24). The server's external interface, eth0, is in the external firewalld zone and its public IP address is assigned dynamically by the ISP. The administrator needs to allow all computers on the private network to access the internet through the gateway. Which of the following commands will correctly implement Source Network Address Translation (SNAT) to accomplish this?
The correct command is firewall-cmd --zone=external --add-masquerade --permanent. Masquerading is a form of SNAT that is used when the external IP address is dynamic. It automatically uses the IP address of the outgoing interface as the source for packets leaving the network. This command permanently adds a masquerade rule to the external zone, which is the correct zone for the public-facing interface. The command --zone=internal --add-masquerade --permanent is incorrect because masquerading should be applied to the external, not internal, zone. The command --zone=external --add-forward-port=port=80:proto=tcp:toaddr=10.0.0.50 is a Destination NAT (DNAT) or port forwarding rule, used to direct incoming traffic to an internal host, not for enabling outbound access for the whole network. The command --zone=internal --add-service=http --permanent simply opens a port on the internal zone's firewall for the HTTP service; it does not perform any address translation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is masquerading in firewalld?
Open an interactive chat with Bash
What is the difference between SNAT and DNAT in networking?
Open an interactive chat with Bash
Why is the `external` zone used for masquerading in firewalld?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access