“MASQ” or “IPMASQ”, short for IP Masquerading, helps machines with non-routable IP addresses to access Internet via the machine that is actually masquerading. It is a form of NAT (Network Address Translation). IPMASQ works perfectly with LAN technologies like Token Ring, Ethernet, FDDI and dial-up connections.
In case of IPMASQ a gateway machine acts as the mediator between the machines on your network and the Internet. Connection Tracking (conntrack) feature of Linux is used to keep track of connections and their source. This helps in rerouting the packets accordingly. Henceforth, packets leaving the private network are masqueraded as if they originated from the mediator machine. Microsoft calls this feature as Internet Connection Sharing.
How can IP masquerading be achieved?
IPMASQ can be achieved with the help of a single command:
sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE
This command works when your private IP address range is 192.168.0.0/16 and the Internet-facing machine is ppp0. Below we break the syntax so as to clear all attributes:
- -t nat – this helps you enter the nat table.
- -A POSTROUTING – this will append ‘–A’ to POSTROUTING chain.
- -s 192.168.0.0/16 – this specifies the address space being used within the network.
- -o ppp0 – this applies to traffic that is being routed via specific device in network.
- -j MASQUERADE – this masquerades the traffic via the gateway described above.
NOTE: If your network has a firewall in front of your gateway machine then you will have to FORWARD your traffic so as to complete the network connection.
sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT
sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT
In above case connection is ESTABLISHED even if your firewall policies are set to REJECT or DROP.
Salman Siddiqui is an expert technology analyst. His vast experience of freelance writing is backed by his passion to swim against the tide. You can grab him on Twitter.