The basic router support simply moves messages from one network subnet to another without translation. This works well in most instances but there is one case where network address translation (NAT) is worthwhile. This is where an Internet Service Provider (ISP) supplies a single IP address to a customer. A single IP address is sufficient when a single computer is attached to the Internet but NAT is required if the single IP address must support a network.

NAT takes advantage of the fact that messages do not contain just source and destination IP addresses but rather IP and port address pairs for source and destination routing. The NAT router has a table to handle translation. When a NAT-enabled router receives a message from the local network it takes a look at the source IP address and port number and checks the table to see if this is the first message from this source. If it is, then a new entry is added to the table with the source IP address and port number. A new alias port number is allocated from a pool of unused port addresses. This number is added to the table entry.

The NAT router then changes the source IP address to the IP address of the outgoing network interface. It also changes the source port number to the alias port number from the table entry. The translated message is then sent through the outgoing network interface.

Messages coming into the outgoing network interface follow the reverse process. The destination IP address matches the one for the outgoing network interface for the NAT router. The destination port number is used to look up the matching IP and port number. The destination IP address is changed as is the port number in the message using the values from the table. The message is then sent to the local network and the local computer.

Neither the source nor the destination computer know about the masquerade due to the address translation. The process would be completely transparent if it were not for the fact that some protocols contain port and IP addresses in the message in addition to the source and destination addresses. Luckily, this is another area where masquerading can take place. It just takes a bit more work including recognition of higher level protocols and the ability to translate these additional addresses.

The Linux NAT support is integrated with firewall support that uses a configuration program called ipchains. This handles protocols that require basic source and destination translation. The ip_masq is actually a series of programs that handle different protocols. Only those protocols to be supported need be used. Protocols like FTP and IRC require masquerading programs. More on these in the next two sections.

Next: IPCHAINS 101 »