38.2 Masquerading Basics
Masquerading is the Linux-specific form of NAT (network address
translation). It can be used to connect a small LAN (where hosts use IP
addresses from the private range—see Section 29.1.2,
Netmasks and Routing) with the
Internet (where official IP addresses are used). For the LAN hosts to be
able to connect to the Internet, their private addresses are translated to
an official one. This is done on the router, which acts as the gateway
between the LAN and the Internet. The underlying principle is a simple one:
The router has more than one network interface, typically a network card and
a separate interface connecting with the Internet. While the latter links
the router with the outside world, one or several others link it with the
LAN hosts. With these hosts in the local network connected to the network
card (such as eth0) of the router, they can send any
packets not destined for the local network to their default gateway or
router.
IMPORTANT: Using the Correct Network Mask
When configuring your network, make sure both the broadcast address and
the netmask are the same for all local hosts. Failing to do so
prevents packets from being routed properly.
As mentioned, whenever one of the LAN hosts sends a packet destined for an
Internet address, it goes to the default router. However, the
router must be configured before it can forward such packets. For
security
reasons, SUSE® Linux Enterprise does not enable this in a default installation.
To enable it, set the variable IP_FORWARD in the
file /etc/sysconfig/sysctl to
IP_FORWARD=yes.
The target host of the connection can see your router, but knows nothing
about the host in your internal network where the packets originated. This
is why the technique is called masquerading. Because of the address
translation, the router is the first destination of any reply packets.
The router must identify these incoming packets and translate their
target addresses, so packets can be forwarded to the correct host in
the local network.
With the routing of inbound traffic depending on the masquerading table,
there is no way to open a connection to an internal host from the outside.
For such a connection, there would be no entry in the table. In addition,
any connection already established has a status entry assigned to it in the
table, so the entry cannot be used by another connection.
As a consequence of all this, you might experience some problems with a
number of application protocols, such as ICQ, cucme, IRC (DCC, CTCP), and
FTP (in PORT mode). Netscape, the standard FTP program, and many
others use the PASV mode. This passive mode is much less problematic as far
as packet filtering and masquerading are concerned.