NAT/IP Masquerade

NAT (Network Address Translation) and IP Masquerade or two terms for the same thing. IP Masquerade is the name of the Linux implementation of NAT so the terms are essentially interchangeable. Since NAT is a standard term and is used in many machines besides Linux boxes, I will use the term NAT throughout. If you read "IP Masquerade" in a document, just think NAT.

NAT solves a common problem. Your Internet provider, whether dialup, cable or DSL, generally only provides you with one routeable IP address. If you can get more, it will usually cost $bigbucks. They're not just being stingy, "real" IPs [1] are becoming scarce. Your ISP has to justify their IP usage to their upstream providers. NAT is one way to help to with scarce IP resources.

NAT allows your Linux box to share your single routeable IP with all the hosts on your private LAN. The NAT-enabled PC has two NICs in it. One is connected to your internal LAN via a hub, the other is directly cabled to a cable modem, DSL modem, or (you poor soul) a dialup modem. The NIC connected to your LAN has an IP address in your private IP space. In the example dhcpd.conf in the previous chapter, the default router for the network is 192.168.1.1; this would be the IP for this network card in your NAT box.

The IP for your other card (or dialup modem, you poor soul), can either be assigned by your ISP or may be statically assigned. It is your "external" routeable IP.

When a host on your LAN wants to send something out to the Internet, it sends a packet to it's default router, which is your Linux box's internal NIC on the LAN. NAT takes this packet and adds additional header information to translate (aka masquerade) it to your external IP address. It then sends it out to your ISPs default router for its destination. When a reply is made to the packet, the NAT box receives the packet intended for the machine on your internal LAN, removes the extra header information, and forwards the packet to the appropriate host on the internal LAN. The NAT software maintains a table of opened connections to track packets.

The easiest way to understand NAT is to think of a letter wrapped inside of two envelopes. The outer envelope contains the address of a building you are sending your letter; the internal envelope contains the floor and office number of the person you are sending the letter to.

By it's very nature, NAT provides a bit of extra security by obscuring your hosts on an internal network. By not having them all running on public IPs, they are less susceptible to attack. But you should not rely on NAT as your sole security mechanism, the host running NAT should be running firewalling software as well to protect it from attack. If someone breaks into it, after all, they have full access to all the machines on your LAN. NAT in Linux relies on ipchains to do its magic so you're partly there anyway.

Lastly, not everything works through NAT. FTP often doesn't work "out of the box". You may need to tell your FTP client programs to run in "passive" mode for their connections. The symptom of this problem is connecting to an FTP server and the connection just hangs without generating any output. If you ICQ, you need to send all your messages through the server. NAT just adds a little layer of complication. If you remember that your machines on the local network have no direct knowledge of the world beyond their default router, you should be able to troubleshoot most NAT-related networking issues. With NAT bing such a popular standard these days, it's rare to find an application that will not work at all with it.

Notes

[1]

as opposed to your reserved IP space in your internal 192.168.1.0/24