| B-box |:::::: | | 111.222.121.212
| |.3 : +----------+
+----------+ :
:
+----------+ :
| | :
| C-box |::::::
| |.4
+----------+
| | | >
| <-Internal Network--> | | <- External Network ----> >
| connected via an | | Connected from the >
| Ethernet hub or | | Linux server to your >
| switch | | Internet connection >
In this example, there are (4) computer systems that we are concerned about. There is also presumably something on the far right that your PPP/ETH connection to the Internet comes through (modem server, DSL DSLAM, Cablemodem router, etc.). Out on the Internet, there exists some remote host (very far off to the right of the page) that you are interested in communicating with). The Linux system named Masq-Gate is the IP Masquerading gateway for ALL internal networked machines. In this example, the machines A-box , B-box , and C-box would have to go through the Masq-Gate to reach the Internet. The internal network uses one of several RFC-1918 assigned private network addresses , where in this case, would be the Class-C network 192.168.0.0. If you aren't familiar with RFC1918, it is encouraged to read the first few chapters of the RFC but the jist of it is that the TCP/IP addresses 10.0.0.0/8, 172.16-31.0.0/12, and 192.168.0.0/16 are reserved. When we say "reserved", we mean that anyone can use these addresses as long as they aren't routed over the Internet. ISPs are even allowed to use this private addressing space as long as they keep these addresses within their own networks and NOT advertise them to other ISPs. Unfortunately, this isn't always the case but thats beyond the scope of this HOWTO.
Anyway, the Linux box in the diagram above has the TCP/IP address 192.168.0.1 while the other systems has the addresses:
A-Box: 192.168.0.2
B-Box: 192.168.0.3
C-Box: 192.168.0.4
The three machines, A-box , B-box and C-box , can have any one of several operating systems, just as long as they can speak TCP/IP. Some such as Windows 95 , Macintosh MacTCP or OpenTransport , or even another Linux box have the ability to connect to other machines on the Internet. When running the IP Masquerade, the masquerading system or MASQ-gate converts all of these internal connections so that they appear to originate from the masq-gate itself. MASQ then arranges so that the data coming back to a masqueraded connection is relayed to the proper originating system. Therefore, the systems on the internal network are only able to see a direct route to the internet and are unaware that their data is being masqueraded. This is called a "Transparent" connection.
NOTE: Please see Chapter 7 for more details on topics such as:
The differences between NAT, MASQ, and Proxy servers.
How packet firewalls work
Prev
Home
Next
Who Doesn't Need IP Masquerade?
Up
Requirements for IP Masquerade on Linux 2.4.x
