Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 646 — #672
i
i
i
i
i
i
i
i
26.3.2 Masquerading Basics
Masquerading is the Linux-specific form of NAT (network address transla-
tion). It can be used to connect a small LAN (where hosts use IP addresses
from the private range — see Section 21.1.2 on page 419) with the Internet
(where official IP addresses are used). For the LAN hosts to be able to con-
nect to the Internet, their private addresses are translated to an official one.
This is done on the router, which acts as the gateway between the LAN and
the Internet. The underlying principle is a simple one: The router has more
than one network interface, typically a network card and a separate inter-
face connecting with the Internet. While the latter links the router with the
outside world, one or several others link it with the LAN hosts. With these
hosts in the local network connected to the network card (such as eth0) of
the router, they can send any packets not destined for the local network to
their default gateway or router.
Note
Using the Correct Network Mask
When configuring your network, make sure both the broadcast
address and the netmask are the same for all local hosts. Failing
to do so results in a broken network because packets cannot be
routed properly.
Note
As mentioned, whenever one of the LAN hosts sends a packet destined
for an Internet address, it goes to the default router. However, the router
must be configured before it can forward such packets. For security rea-
sons, SUSE LINUX does not enable this in a default installation. To enable
it, set the variable IP_FORWARD in the file /etc/sysconfig/sysctl to
IP_FORWARD=yes.
The target host of the connection can see your router, but knows nothing
about the host in your internal network where the packets originated. This
is why the technique is called masquerading. Because of the address trans-
lation, the router is the first destination of any reply packets. The router
must identify these incoming packets and translate their target addresses,
so packets can be forwarded to the correct host in the local network.
With the routing of inbound traffic depending on the masquerading table,
there is no way to open a connection to an internal host from the outside.
For such a connection, there would be no entry in the table. In addition,
any connection already established has a status entry assigned to it in the
table, so the entry cannot be used by another connection.
646 26.3. Masquerading and Firewalls