IP Masquerading in Linux

Posted on January 5th, 2017

IP Masquerade is a networking function in Linux similar to the one-to-many NAT (Network Address Translation) servers found in many commercial firewalls and network routers. IP Masquerade, also called IPMASQ or MASQ, allows one or more computers in a network without assigned IP addresses to communicate with the Internet using Linux server’s assigned IP address. If a Linux host is connected to the Internet via PPP, Ethernet, etc., the IP Masquerade feature allows other “internal” computers connected to this Linux box (via PPP, Ethernet, etc.) to also reach the Internet as well. The IPMASQ server acts as a gateway, and the other devices are invisible behind it. To the other machines on the Internet the outgoing traffic appears to be coming from the IPMASQ server and not the internal PCs. Linux IP Masquerading allows for this functionality even though these internal machines don’t have an officially assigned IP address. MASQ allows a set of machines to invisibly access the Internet via the MASQ gateway. To other machines on the Internet, the outgoing traffic will appear to be from the IP MASQ Linux server itself. IP masquerading is a form of network address translation (NAT) which allows internal computers with no known address outside their network, to communicate to the outside. It allows one machine to act on behalf of other machines. In addition to the added functionality, IP Masquerade provides the foundation to create a heavily secured networking environment. With a well-built firewall, breaking the security of a well configured masquerading system and internal LAN should be considerably difficult to accomplish. Please do not confuse routers with firewalls and the performance of IP masquerading. The commands that allow IP masquerading are a simple form of a firewall, however routing is a completely different function, as described previously. Setting a computer up to act as a router is completely different than setting up a computer to act as a firewall. Although the two functions are similar the router or firewall will act as a communication mechanism between two networks or subnets. A computer can be either a router or a firewall, but not both. If you set up a computer to act as both a router and a firewall, you have defeated the purpose of your firewall!


 Masquerading Local Networks

IP masquerading allows you to use a private (reserved) IP network address on your LAN and have your Linux-based router perform some clever, real-time translation of IP addresses and ports. These could be machines in a home network or a small LAN, such as for a small business. Such a network might have only one machine with Internet access, and as such, only the one Internet address. The local private network would have IP addresses address. The local private network would have IP addresses chosen from the private network allocations. When it receives a datagram from a computer on the LAN, it takes note of the type of datagram it is, “TCP,” “UDP,” “ICMP,” etc., and modifies the datagram. It then looks like it was generated by the router machine itself (and remembers that it has done so). Then it transmits the datagram onto the Internet with its single connected IP address. When the destination host receives this datagram, it believes the datagram has come from the routing host and sends any reply datagrams back to that address. When the Linux masquerade router receives a datagram from its Internet connection, it looks in its table of established masqueraded connections to see if this datagram actually belongs to a computer on the LAN, and if it does, it reverses the modification it did on the forward path and transmits the datagram to the LAN computer.


Side Effects and Benefits

1) You need only one valid and routable IP address to allow all hosts to make network connections out onto the Internet. This has a downside; none of those hosts are visible from the Internet and you can’t directly connect to them from the Internet. The only host visible on a masqueraded network is the masquerade machine itself. This is important when you consider services such as mail or FTP. It helps determine what services should be provided by the masquerade host and what services it should proxy or otherwise treat specially.

2) None of the masqueraded hosts are visible, they are relatively protected from attacks from outside. This could simplify or even remove the need for firewall configuration on the masqueraded host. Your whole network will be only as safe as your masquerade host, so you should use firewall to protect it if security is a concern.

3) IP masquerade will have some impact on the performance of your networking. In typical configurations, this will probably be barely measurable. If you have large numbers of active masquerade sessions, though, you may find that the processing required at the masquerade machine begins to impact your network throughput. IP masquerade must do a good deal of work for each datagram compared to the process of conventional routing.

4) Some network services just won’t work through masquerade, or at least not without a lot of help. Typically, these are services that rely on incoming sessions to work, such as some types of Direct Communications Channels (DCC), features in IRC, or certain types of video and audio multicasting services.


If you need any further assistance please contact our support department.



Leave a Reply