1. Computing
Send to a Friend via Email

Discuss in my forum




IP Masquerading

The purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading. Traffic from your private network destined for the Internet must be manipulated for replies to be routable back to the machine that made the request. To do this, the kernel must modify the source IP address of each packet so that replies will be routed back to it, rather than to the private IP address that made the request, which is impossible over the Internet. Linux uses Connection Tracking (conntrack) to keep track of which connections belong to which machines and reroute each return packet accordingly. Traffic leaving your private network is thus "masqueraded" as having originated from your Ubuntu gateway machine. This process is referred to in Microsoft documentation as Internet Connection Sharing.

This can be accomplished with a single iptables rule, which may differ slightly based on your network configuration:

sudo iptables -t nat -A POSTROUTING -s -o ppp0 -j MASQUERADE

The above command assumes that your private address space is and that your Internet-facing device is ppp0. The syntax is broken down as follows:

  • -t nat -- the rule is to go into the nat table

  • -A POSTROUTING -- the rule is to be appended (-A) to the POSTROUTING chain

  • -s -- the rule applies to traffic originating from the specified address space

  • -o ppp0 -- the rule applies to traffic scheduled to be routed through the specified network device

  • -j MASQUERADE -- traffic matching this rule is to "jump" (-j) to the MASQUERADE target to be manipulated as described above

Each chain in the filter table (the default table, and where most or all packet filtering occurs) has a default policy of ACCEPT, but if you are creating a firewall in addition to a gateway device, you may have set the policies to DROP or REJECT, in which case your masqueraded traffic needs to be allowed through the FORWARD chain for the above rule to work:

sudo iptables -A FORWARD -s -o ppp0 -j ACCEPT
 sudo iptables -A FORWARD -d -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT

The above commands will allow all connections from your local network to the Internet and all traffic related to those connections to return to the machine that initiated them.

* License

* Ubuntu Server Guide Index

©2014 About.com. All rights reserved.