2.5. How does IP Masquerade Work?

Based from the original IP Masquerade FAQ by Ken Eves: Here is a drawing of the most simplistic setup:

PPP/ETH/etc.        +------------+                         +-------------+
to ISP provider     |  Linux #1  |       PPP/ETH/etc.      | Anybox      |
                    |            |                         |             |
  <---------- modem1|            |modem2 ----------- modem3|             |
                    |            |                         |             | |            |  |             |
                    +------------+                         +-------------+

In the above drawing, a Linux box with IP_MASQUERADING is installed as Linux #1 and is connected to the Internet via PPP, Ethernet, etc. It has an assigned public IP address of It also has another network interface (e.g. modem2) connected to allow incoming network traffic be it from a PPP connection, Ethernet connection, etc.

The second system (which does not need to be Linux) connects into the Linux #1 box and starts its network traffic to the Internet. This second machine does NOT have a publicly assigned IP address from the Internet, so it uses an RFC1918 private address, say (see below for more info)

With IP Masquerade and the routing configured properly, this second machine "Anybox" can interact with the Internet as if it was directly connected to the Internet with a few small exceptions [noted later].

Quoting Pauline Middelink (the founder of Linux's IPMASQ):

"Do not forget to mention that the "ANYBOX" machine should have the Linux #1 box configured as its default gateway (whether it be the default route or just a subnet is no matter). If the "ANYBOX" machine is connected via a PPP or SLIP connection, the Linux #1 machine should be configured to support proxy arp for all routed addresses. But, the setup and configuration of proxy arp is beyond the scope of this document. Please see the PPP-HOWTO for more details."

The following is an excerpt on how IPMASQ briefly works though this will be explained in more detail later. This short text is based from a previous post on comp.os.linux.networking which has been edited to match the names used in the above example:

   o I tell machine ANYBOX that my PPP or Ethernet connected Linux box is its 

   o When a packet comes into the Linux box from ANYBOX, it will assign the 
     packet to a new TCP/IP source port number and insert its own IP address 
     inside the packet header, saving the originals.  The MASQ server will 
     then send the modified packet over the PPP/ETH interface onto the 

   o When a packet returns from the Internet into the Linux box, Linux 
     examines if the port number is one of those ports that was assigned 
     above.  If so, the MASQ server will then take the original port and 
     IP address, put them back in the returned packet header, and send 
     the packet to ANYBOX.

   o The host that sent the packet will never know the difference. 

Another IP Masquerading Example:

A typical example is given in the diagram below:

    |          |  
    | A-box    |::::::
    |          |.2   : 
    +----------+     :
                     :      +----------+   PPP/ETH   
    +----------+     :   .1 |  Linux   |     link
    |          |     :::::::| Masq-Gate|:::::::::::::::::::>> Internet
    | B-box    |::::::      |          |
    |          |.3   :      +----------+
    +----------+     :
    +----------+     :
    |          |     :
    | C-box    |::::::
    |          |.4    

    |                       |          |                           >
    | <-Internal Network--> |          | <- External Network ----> >
    |   connected via an    |          |    Connected from the     >
    |   Ethernet hub or     |          |    Linux server to your   > 
    |       switch          |          |    Internet connection    >

In this example, there are (4) computer systems that we are concerned about. There is also presumably something on the far right that your PPP/ETH connection to the Internet comes through (modem server, DSL DSLAM, Cablemodem router, etc.). Out on the Internet, there exists some remote host (very far off to the right of the page) that you are interested in communicating with). The Linux system named Masq-Gate is the IP Masquerading gateway for ALL internal networked machines. In this example, the machines A-box, B-box, and C-box would have to go through the Masq-Gate to reach the Internet. The internal network uses one of several RFC-1918 assigned private network addresses, where in this case, would be the Class-C network If you aren't familiar with RFC1918, it is encouraged to read the first few chapters of the RFC but the jist of it is that the TCP/IP addresses, 172.16-31.0.0/12, and are reserved. We we say "reserved", we mean that anyone can use these addresses as long as they aren't routed over the Internet. ISPs are even allowed to use this private addressing space as long as they keep these addresses within their own networks and NOT advertise them to other ISPs. Unfortunately, this isn't always the case but thats beyond the scope of this HOWTO.

Anyway, the Linux box in the diagram above has the TCP/IP address while the other systems has the addresses:

The three machines, A-box, B-box and C-box, can have any one of several operating systems, just as long as they can speak TCP/IP. Some such as Windows 95, Macintosh MacTCP or OpenTransport , or even another Linux box have the ability to connect to other machines on the Internet. When running the IP Masquerade, the masquerading system or MASQ-gate converts all of these internal connections so that they appear to originate from the masq-gate itself. MASQ then arranges so that the data coming back to a masqueraded connection is relayed to the proper originating system. Therefore, the systems on the internal network are only able to see a direct route to the internet and are unaware that their data is being masqueraded. This is called a "Transparent" connection.

NOTE: Please see Chapter 7 for more details on topics such as: