Iptables nat masquerade – How we do it?
Basically, iptables nat masquerade functions as a router.
It simply helps users to translate addresses but in a covered-up way.
That is, it hides the access sharing of a public IP to a private network.
At Bobcares, we get requests to masquerade IPs, as a part of our Server Management Services.
Today, let’s see how our Support Engineers do this for our customers.
What is iptables nat masquerade?
Isn’t it a bit tricky to guess? So, let’s have a look at each of them.
NAT aka Network Address Translation is a method for routing IPs. Whereas, iptables is the built-in firewall in Linux systems. And the word masquerade literally means to cover-up.
But what does it indicate all together?
Iptables nat masquerade hides the address translation using iptables.
Address translation is possible using iptables. There is an inbuilt nat table in iptables. It includes PREROUTING, OUTPUT, and POSTROUTING chains.
In addition, the masquerade is a type of network address translation. This allows hosts on a private network to use the public IP.
In other words, this allows one to route traffic without disturbing the actual traffic. So, masquerade allows all outgoing connections to use a single address.
Now let’s discuss how is this possible.
How to masquerade using iptables nat?
Our Experts in Server Management helps customers to translate addresses.
The masquerade target is only valid in the nat table. Usually, we apply this to dynamic IPs. For static IPs, iptables provide another target named SNAT.
The forward chain in the filter table enables packet forwarding within a network.
But for connecting to an external system we use the nat table.
Firstly, we check the status of IP forwarding from the Linux proc file. If this is found disable, we enable it. For this, we change the value of ip_forward in the proc file to 1.
echo 1 > /proc/sys/net/ipv4/ip_forward
Or we can set the forwarding by editing the file /etc/sysctl.conf.
We find the line and replace 0 with 1.
For hiding the address translation, our Support Engineers use the command.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Here -o eth0 denotes the external networking device in this case.
Finally, we ensure the forwarding of the external connections to the internal network.
[Need assistance in iptables nat masquerade? – We’ll help you.]
Conclusion
In short, we use iptables nat masquerade to hide address translation. This is useful in routing a public network over a private network. Today, we saw how our Support Engineers set this for our customers.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
What is MASQUERADE in the context of iptables?
In iptables many times I see the target MASQUERADE. What is that? I searched and found lots of things. But I need someone to explain to me what MASQUERADE is in an easy to understand way? An example (taken from this answer) is:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
3 Answers 3
It is an algorithm dependant on the iptables implementation that allows one to route traffic without disrupting the original traffic.
I use the masquerade algorithm when I want to create a virtual wifi adapter and share my wifi.
Im NOT talking about sharing Ethernet connection through your wifi, Im talking about sharing the wifi connection through your wifi via masquerading it to a virtual adapter. This in effect lets you share your wifi connection through wifi.
All those questions about «Connectify for linux» can be solved by implementing the MASQUERADE algo.
I HAVE NOT READ THE LAST LINK. But the following is an accurate excerpt/example.
sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -A FORWARD -i wlan0 -j ACCEPT sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I really dislike how search engines make the algorithm out to be some evil type of hack.. I use it merely so share my internet with my android phones.
I’ve tested the MASUERADE rule (the third line in your code listing) and the link is exactly shared and available across interfaces. Therefore, I’m frustrated what is the FORWARD rule for? (the rule on the second line in your code listing)
MASQUERADE is an iptables target that can be used instead of SNAT target (source NAT) when external ip of the inet interface is not known at the moment of writing the rule (when server gets external ip dynamically).
@Luc, SNAT target (source network address translation) with defining source ip that should be placed instead of original source ip in the ip packet from original host. Like this -j SNAT —to-source xx.xx.xx.xx where xx.xx.xx.xx is the external ip of the desired interface. And I can’t say that it should be used when external ip is known. I’d prefer to use MASQUERADE instead of SNAT to make rules flexible and not bound to specific external ip that I have at the moment.
After study of above answers, this is what caused me to understand:
Masquerading allows an entire network of internal IP addresses to operate through one external IP address and masquerading allows conversion from one protocol to another (wired/wireless).
When the MASQUERADE chain sends a datagram from a computer it.
- Takes note of the type of datagram it is, «TCP,» «UDP,» «ICMP,» etc. Note: An unknown might not work correctly through MASQUERADE.
- Modifies the datagram so that it looks like it was generated by the router machine itself (the one external address).
- Remembers that it has done so, recording the local source and external destination IPs.
- Transmits the datagram onto the Internet with the single external IP address.
Note: When the destination host receives this datagram, it believes the datagram has come from the one routing host and sends any reply datagrams back to that address.
When the Linux MASQUERADE chain receives a datagram from its Internet connection,
- It looks in its table of established masqueraded connections to see if this datagram actually belongs to a computer on the LAN.
- If it does, it reverses the modification it did on the forward path and transmits the datagram to the LAN computer.
The MASQUERADE chain is useful for internally creating and entire private IP address space, and for forwarding packets that would otherwise be incompatible.
The Ethernet, or wired protocol, assumes that the packet comes from the source and reports itself. The Wifi, or wireless protocol, assumes that the packet is being repeated and reports itself and the original source.
For this reason, Wifi and Ethernet cannot be directly bridged because they are incompatible. Masquerading causes the packets to be rebuilt and will thereby handle conversion between wired and wireless standards. Note: There are ways to cause your computer to accept the incompatibility internally and bridge, but without a full masquerade, the bridge spoof will be viewed externally as a security risk and those requests will be rejected.
What is IP Masquerade and how to rule it with iptables?
IP Masquerade is also known as Network Address Translation (NAT) and Network Connection Sharing some other popular operating systems. It is basically a method for allowing a computer that doesn’t have a public Internet wide IP address communicate with other computers on the Internet with the help of another computer sitting inbetween it and the Internet.
As you know IP address are used on the Internet to identify machines. Given a packet with an IP address, every router that makes up the Internet knows where to send that packet to get it to its destination. Now, there are also a few ranges of IP addresses that have been reserved for private use inside Local Area Networks and other networks that are not directly connected to the Internet. These private addresses are guaranteed not to be in use on the public Internet.
This causes problems for machines that are connected to private networks are use private IP addresses, because they can’t be connected directly to the Internet. They don’t have an IP address that is allowed to be used on the public Internet. IP Masquerade solves this problem by allowing a machine with a private IP address to communicate with the Internet, while at the same time modifying the machine’s packets to use a valid public IP address instead of the original private IP address. Packets returning from the Internet are modified back to use the original IP address before reaching private IP machine.
Note that this is not limited to the internet network masquerade/NAT can be used to route traffic from one network to an other let say 10.0.0.0/24 and 192.168.0.0/24
Iptables masquerade rule can be replaced with SNAT rule
iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth2 -j SNAT --to-source 192.168.1.2 # supposing eth2 assigned ip is 192.168.1.2
Both masquerade and snat require ip_forward enabled at the kernel level with echo «1» > /proc/sys/net/ipv4/ip_forward or permanently by editing the settings file nano /etc/sysctl.conf .
IP Forward makes the machine act like a router and thus redirect/forward packets from all active interface logically by the targeted network (local/net/other/etc) or by following the route table. Note that enabling ip_forward may introduce important security risk, if ip_forward can not be avoided, it needs to be supervised/secured by additional iptables/route rules.
Posted on 2019-04-14 by intika, viewed times and updated on August 12, 2020.