IP masquerading allows you to hide the IP addresses of the computers on your LAN. It replaces these IP addresses with the public IP address on your gateway computer. This helps to protect the computers within your LAN from direct attack.
Note | IP masquerading is a form of Network Address Translation (NAT). Another way to implement NAT is with a proxy server. |
IP masquerading and firewalls are commonly configured on the same computer on a LAN, the gateway between that LAN and an external network such as the Internet. Therefore, the developers of iptables have included options to use that command to configure masquerading.
As described in Chapter 21 , you can configure a gateway computer to connect to your LAN and another network such as the Internet. Assuming that you re connecting to the Internet, you can use private IP addresses within your LAN, and use a public IP address on the network card that is connected to the Internet.
Then to complete the connection, you must configure IP Forwarding on the gateway computer as described in Chapter 21 . And then, you need to add an appropriate iptables command to your firewall.
Once you ve set up masquerading, anyone who connects to the Internet from inside your LAN sends data packets through your gateway computer. For example, assume one of your users is looking for a website. The source address ”that is, the IP address of the computer on your LAN ”is replaced with the public IP address of your gateway computer. The iptables command assigns a nonstandard TCP/IP port to the packet. The gateway computer then caches the source IP address and the assigned TCP/IP port.
When the firewall receives the data for the website, the process is reversed . The assigned port is matched to the cache. The IP address of the source computer is taken from the cache and added to the data for the website. The gateway computer can then send the packets to the source computer.
Let s take another look at the format of the iptables command. As discussed earlier, the default table is a filter, which is the firewall function associated with iptables :
iptables -t table option pattern -j target
However, a -t nat option is available that allows you to use iptables to configure masquerading. For example, the following command assumes that your network has an address of 10.0.0.0/24 and that the network card on your gateway that s directly connected to the Internet is eth2 :
# iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth2 -j MASQUERADE
This command changes the IP address of the packets that are going out to the Internet ( -A POSTROUTING ), and the changes are only good for the private IP addresses on your LAN ( -j MASQUERADE ).