Masquerading is the Linux-specific form of NAT (network address
translation). It can be used to connect a small LAN (where hosts use IP
addresses from the private range—see
Abschnitt „Netzmasken und Routing“ (Kapitel 21, Grundlegendes zu Netzwerken, ↑Referenz)) with the Internet
(where official IP addresses are used). For the LAN hosts to be able to
connect to the Internet, their private addresses are translated to an
official one. This is done on the router, which acts as the gateway
between the LAN and the Internet. The underlying principle is a simple
one: The router has more than one network interface, typically a network
card and a separate interface connecting with the Internet. While the
latter links the router with the outside world, one or several others
link it with the LAN hosts. With these hosts in the local network
connected to the network card (such as eth0
) of the
router, they can send any packets not destined for the local network to
their default gateway or router.
![]() | Using the Correct Network Mask |
---|---|
When configuring your network, make sure both the broadcast address and the netmask are the same for all local hosts. Failing to do so prevents packets from being routed properly. |
As mentioned, whenever one of the LAN hosts sends a packet destined for
an Internet address, it goes to the default router. However, the router
must be configured before it can forward such packets. For security
reasons, this is not enabled in a default installation. To enable it, set
the variable IP_FORWARD
in the file
/etc/sysconfig/sysctl
to
IP_FORWARD=yes
.
The target host of the connection can see your router, but knows nothing about the host in your internal network where the packets originated. This is why the technique is called masquerading. Because of the address translation, the router is the first destination of any reply packets. The router must identify these incoming packets and translate their target addresses, so packets can be forwarded to the correct host in the local network.
With the routing of inbound traffic depending on the masquerading table, there is no way to open a connection to an internal host from the outside. For such a connection, there would be no entry in the table. In addition, any connection already established has a status entry assigned to it in the table, so the entry cannot be used by another connection.
As a consequence of all this, you might experience some problems with a number of application protocols, such as ICQ, cucme, IRC (DCC, CTCP), and FTP (in PORT mode). Web browsers, the standard FTP program, and many other programs use the PASV mode. This passive mode is much less problematic as far as packet filtering and masquerading are concerned.