The IP masquerade facility comes with its own set of side effects, some of
which are useful and some of which might become bothersome.
None of the hosts on the supported network behind the masquerade router
are ever directly seen; consequently, you need only one valid and
routable IP address to allow all hosts to make network connections out
onto the Internet. This has a downside; none of those hosts are
visible from the Internet and you can't directly connect to them from
the Internet; the only host visible on a masqueraded network is the
masquerade machine itself. This is important when you consider
services such as mail or FTP. It helps determine what services should
be provided by the masquerade host and what services it should proxy
or otherwise treat specially.
Second, because none of the masqueraded hosts are visible, they are relatively
protected from attacks from outside; this could simplify or even remove
the need for firewall configuration on the masquerade host. You shouldn't rely
too heavily on this, though. Your whole network will be only as safe as
your masquerade host, so you should use firewall to protect it if security is
Third, IP masquerade will have some impact on the performance of your
networking. In typical configurations this will probably be barely measurable.
If you have large numbers of active masquerade sessions, though, you may find
that the processing required at the masquerade machine begins to impact
your network throughput. IP masquerade must do a good deal of work for
each datagram compared to the process of conventional routing. That
386SX16 machine you have been planning on using as a masquerade machine
supporting a dial-up link to the Internet might be fine, but don't expect
too much if you decide you want to use it as a router in your corporate
network at Ethernet speeds.
Last, some network services just won't work through masquerade, or at least
not without a lot of help. Typically, these are services that rely on incoming
sessions to work, such as some types of Direct Communications Channels (DCC),
features in IRC, or certain types of video and audio multicasting services.
Some of these services have specially developed kernel modules to provide
solutions for these, and we'll talk about those in a moment. For others, it
is possible that you will find no support, so be aware,it won't be suitable
in all situations.