Due to the ever-shrinking IPv4 address space, it is becoming increasingly difficult to obtain enough addresses to assign every corporate host a legal (that is, globally routable) IP number. This has led network administrators to assign reserved addresses to most corporate hosts, using Network Address Translation (NAT) at the perimeter, to preserve the ability to access Internet hosts.
The Linux NAT solution comes in a kernel feature dubbed IP masquerading, by which a firewall device can translate several internal (illegal) IP addresses to a single external (routable) address. The mechanism that achieves this is often referred to as either Network Address Port Translation (NAPT) or one-to-many NAT.
The Linux firewall device acts as the default router for the community of internal hosts, and replaces the source address of outbound packets with the source address of the firewall itself. It then assigns a high TCP port number as the source of the translated connection, which it uses to keep track of which internal host initiated the connection.
To enable IP masquerading, you must select both the
options when you build your Linux kernel. Once you have rebooted the machine and loaded the new kernel, simply issue the following command:
% echo 1 > /proc/sys/net/ipv4/ip_forward
Once enabled, Linux IP masquerading can be configured using the
utility discussed previously. For example, if you choose the Class C network (10.10.10.0/24) as your internal address range and would like to mask all your addresses as they traverse the firewall, simply issue the following command:
-s 10.10.10.0/24 -j MASQ