Last modified on 3 January 2010, at 03:39

Linux Networking/IP Masquerade

IP MasqueradeEdit

Many people have a simple dialup account to connect to the Internet. Nearly everybody using this sort of configuration is allocated a single IP address by the Internet Service Provider. This is normally enough to allow only one host full access to the network. IP Masquerade is a clever trick that enables you to have many machines make use of that one IP address, by causing the other hosts to look like, hence the term masquerade, the machine supporting the dialup connection. There is a small caveat and that is that the masquerade function nearly always works only in one direction, that is the masqueraded hosts can make calls out, but they cannot accept or receive network connections from remote hosts. This means that some network services do not work such as talk and others such as ftp must be configured to operate in passive (PASV) mode to operate. Fortunately the most common network services such as telnet, World Wide Web and irc do work just fine.

Kernel Compile Options:


            Code maturity level options  --->
                [*] Prompt for development and/or incomplete code/drivers
            Networking options  --->
                [*] Network firewalls
                ....
                [*] TCP/IP networking
                [*] IP: forwarding/gatewaying
                ....
                [*] IP: masquerading (EXPERIMENTAL)


Normally you have your linux machine supporting a slip or PPP dialup line just as it would if it were a standalone machine. Additionally it would have another network device configured, perhaps an ethernet, configured with one of the reserved network addresses. The hosts to be masqueraded would be on this second network. Each of these hosts would have the IP address of the ethernet port of the linux machine set as their default gateway or router.

A typical configuration might look something like this:



             -                                   -
              \                                  | 192.168.1.0
               \                                 |   /255.255.255.0
                \                 ---------      |
                 |                | Linux | .1.1 |
             NET =================| masq  |------|
                 |    PPP/slip    | router|      |  --------
                /                 ---------      |--| host |
               /                                 |  |      |
              /                                  |  --------
             -                                   -


Masquerading with IPFWADM

The most relevant commands for this configuration are:

            # Network route for ethernet
            route add -net 192.168.1.0 netmask 255.255.255.0 eth0
            #
            # Default route to the rest of the internet.
            route add default ppp0
            #
            # Cause all hosts on the 192.168.1/24 network to be masqueraded.
            ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0


Masquerading with IPCHAINS

This is similar to using IPFWADM but the command structure has changed:

            # Network route for ethernet
            route add -net 192.168.1.0 netmask 255.255.255.0 eth0
            #
            # Default route to the rest of the internet.
            route add default ppp0
            #
            # Cause all hosts on the 192.168.1/24 network to be masqueraded.
            ipchains -A forward -s 192.168.1.0/24 -j MASQ


You can get more information on the Linux IP Masquerade feature from the IP Masquerade Resource Page. Also, a very detailed document about masquesrading is the ``IP-Masquerade mini-HOWTO (which also intructs to configure other OS's to run with a Linux masquerade server).