Scribd
Upload
59 views1 page

IP Masquerading

IP masquerading allows machines with private IP addresses on a network to access the Internet through another machine. The masquerading machine modifies the source IP addresses of packets leaving the private network so return packets are routed correctly. Linux uses connection tracking to associate return packets with their original private IP addresses. A single iptables rule using MASQUERADE accomplishes this, manipulating traffic leaving a private network so it appears to come from the masquerading machine. Additional iptables rules may be needed to allow the masqueraded traffic through if a firewall is blocking forwarding.

Uploaded by

Islam Ahmed
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
59 views1 page

IP Masquerading

IP masquerading allows machines with private IP addresses on a network to access the Internet through another machine. The masquerading machine modifies the source IP addresses of packets leaving the private network so return packets are routed correctly. Linux uses connection tracking to associate return packets with their original private IP addresses. A single iptables rule using MASQUERADE accomplishes this, manipulating traffic leaving a private network so it appears to come from the masquerading machine. Additional iptables rules may be needed to allow the masqueraded traffic through if a firewall is blocking forwarding.

Uploaded by

Islam Ahmed
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 1

IP Masquerading

The purpose of IP Masquerading is to allow machines with private, non-routable IP


addresses on your network to access the Internet through the machine doing the
masquerading. Traffic from your private network destined for the Internet must be
manipulated for replies to be routable back to the machine that made the request. To
do this, the kernel must modify the source IP address of each packet so that replies
will be routed back to it, rather than to the private IP address that made the request,
which is impossible over the Internet. Linux uses Connection Tracking (conntrack) to
keep track of which connections belong to which machines and reroute each return
packet accordingly. Traffic leaving your private network is thus "masqueraded" as
having originated from your Ubuntu gateway machine. This process is referred to in
Microsoft documentation as Internet Connection Sharing.

This can be accomplished with a single iptables rule, which may differ slightly based
on your network configuration:

sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j


MASQUERADE

The above command assumes that your private address space is 192.168.0.0/16 and
that your Internet-facing device is ppp0. The syntax is broken down as follows:

 -t nat -- the rule is to go into the nat table


 -A POSTROUTING -- the rule is to be appended (-A) to the POSTROUTING
chain
 -s 192.168.0.0/16 -- the rule applies to traffic originating from the specified
address space
 -o ppp0 -- the rule applies to traffic scheduled to be routed through the
specified network device
 -j MASQUERADE -- traffic matching this rule is to "jump" (-j) to the
MASQUERADE target to be manipulated as described above

Each chain in the filter table (the default table, and where most or all packet filtering
occurs) has a default policy of ACCEPT, but if you are creating a firewall in addition
to a gateway device, you may have set the policies to DROP or REJECT, in which
case your masqueraded traffic needs to be allowed through the FORWARD chain for
the above rule to work:

sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT


sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state
ESTABLISHED,RELATED -i ppp0 -j ACCEPT

The above commands will allow all connections from your local network to the
Internet and all traffic related to those connections to return to the machine that
initiated them

You might also like