Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Building a Robust Linux Security Solution: Page 4 of 15

Due to the ever-shrinking IPv4 address space, it is becoming increasingly difficult to obtain enough addresses to assign every corporate host a legal (that is, globally routable) IP number. This has led network administrators to assign reserved addresses to most corporate hosts, using Network Address Translation (NAT) at the perimeter, to preserve the ability to access Internet hosts.

The Linux NAT solution comes in a kernel feature dubbed “IP masquerading,” by which a firewall device can translate several internal (illegal) IP addresses to a single external (routable) address. The mechanism that achieves this is often referred to as either Network Address Port Translation (NAPT) or “one-to-many” NAT.

The Linux firewall device acts as the default router for the community of internal hosts, and replaces the source address of outbound packets with the source address of the firewall itself. It then assigns a high TCP port number as the source of the translated connection, which it uses to keep track of which internal host initiated the connection.

To enable IP masquerading, you must select both the
and the
options when you build your Linux kernel. Once you have rebooted the machine and loaded the new kernel, simply issue the following command:
% echo “1” > /proc/sys/net/ipv4/ip_forward

Once enabled, Linux IP masquerading can be configured using the
utility discussed previously. For example, if you choose the Class C network ( as your internal address range and would like to mask all your addresses as they traverse the firewall, simply issue the following command:

% ipchains



-s -j MASQ