33.2 Masquerading Basics
Masquerading is the Linux-specific form of NAT (network address
translation). It can be used to connect a small LAN (where hosts use IP
addresses from the private range—see
Section 20.1.2, Netmasks and Routing) with the Internet
(where official IP addresses are used). For the LAN hosts to be able to
connect to the Internet, their private addresses are translated to an
official one. This is done on the router, which acts as the gateway
between the LAN and the Internet. The underlying principle is a simple
one: The router has more than one network interface, typically a network
card and a separate interface connecting with the Internet. While the
latter links the router with the outside world, one or several others
link it with the LAN hosts. With these hosts in the local network
connected to the network card (such as eth0) of the
router, they can send any packets not destined for the local network to
their default gateway or router.
IMPORTANT: Using the Correct Network Mask
When configuring your network, make sure both the broadcast address and
the netmask are the same for all local hosts. Failing to do so prevents
packets from being routed properly.
As mentioned, whenever one of the LAN hosts sends a packet destined for
an Internet address, it goes to the default router. However, the router
must be configured before it can forward such packets. For security
reasons, this is not enabled in a default installation. To enable it, set
the variable IP_FORWARD in the file
The target host of the connection can see your router, but knows nothing
about the host in your internal network where the packets originated.
This is why the technique is called masquerading. Because of the address
translation, the router is the first destination of any reply packets.
The router must identify these incoming packets and translate their
target addresses, so packets can be forwarded to the correct host in the
With the routing of inbound traffic depending on the masquerading table,
there is no way to open a connection to an internal host from the
outside. For such a connection, there would be no entry in the table. In
addition, any connection already established has a status entry assigned
to it in the table, so the entry cannot be used by another connection.
As a consequence of all this, you might experience some problems with a
number of application protocols, such as ICQ, cucme, IRC (DCC, CTCP), and
FTP (in PORT mode). Web browsers, the standard FTP program, and many
other programs use the PASV mode. This passive mode is much less
problematic as far as packet filtering and masquerading are concerned.