7.7. IP Masquerade

Many people have a simple dialup account to connect to the Internet. Nearly everybody using this sort of configuration is allocated a single IP address by the Internet Service Provider. This is normally enough to allow only one host full access to the network. IP Masquerade is a clever trick that enables you to have many machines make use of that one IP address. It causes the other hosts to look like the machine supporting the dial-up connection. This is where the term masquerade applies. There is a small caveat: the masquerade function usually works only in one direction. That is, the masqueraded hosts can make calls out, but they cannot accept or receive network connections from remote hosts. This means that some network services do not work (such as talk), and others (such as ftp) must be configured in passive (PASV) mode to operate. Fortunately, the most common network services such as telnet, World Wide Web and irc work just fine.

Kernel Compile Options:

       Code maturity level options  --->
            [*] Prompt for development and/or incomplete code/drivers
        Networking options  --->
            [*] Network firewalls
            ....
            [*] TCP/IP networking
            [*] IP: forwarding/gatewaying
            ....
            [*] IP: masquerading (EXPERIMENTAL)

Normally, you have your linux machine supporting a SLIP or PPP dial-up line (just as it would if it were a standalone machine). Additionally, it would have another network device configured (perhaps an ethernet) with one of the reserved network addresses. The hosts to be masqueraded would be on this second network. Each of these hosts would have the IP address of the ethernet port of the linux machine set as their default gateway or router.

A typical configuration might look something like this:

-                                   -
 \                                  | 192.168.1.0
  \                                 |   /255.255.255.0
   \                 ---------      |
    |                | Linux | .1.1 |
NET =================| masq  |------|
    |    PPP/slip    | router|      |  --------
   /                 ---------      |--| host |
  /                                 |  |      |
 /                                  |  --------
-                                   -

7.7.1. Masquerading with IPFWADM (Kernels 2.0.x)

The most relevant commands for this configuration are:

       # Network route for ethernet
        route add -net 192.168.1.0 netmask 255.255.255.0 eth0
        #
        # Default route to the rest of the Internet.
        route add default ppp0
        #
        # Cause all hosts on the 192.168.1/24 network to be masqueraded.
        ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0

7.7.2. Masquerading with IPCHAINS

This is similar to using IPFWADM, but the command structure has changed:

        # Network route for ethernet
        route add -net 192.168.1.0 netmask 255.255.255.0 eth0
        #
        # Default route to the rest of the Internet.
        route add default ppp0
        #
        # Cause all hosts on the 192.168.1/24 network to be masqueraded.
        ipchains -A forward -s 192.168.1.0/24 -j MASQ

You can get more information on the Linux IP Masquerade feature from the IP Masquerade Resource Page. Also, a very detailed document about masquerading is the ``IP-Masquerade mini-HOWTO'' (which also intructs to configure other OS's to run with a Linux masquerade server).

For information on Applications of IP Masquerading, check the IPMASQ Applications page.