6.8. IP Masquerade


The IP Masquerade is a resource used so that a set of machines may use a single IP address. This permits the hidden nodes (in other words, the ones that use a private IP, such as can go out to the Internet; but they cannot directly accept external calls or services; only through the machine that has the real IP.

This means that some services will not work (for example, talk) and others must be configured in PASV (passive) mode for them to work (for example, FTP). However, WWW, telnet or IRC will work properly. The kernel must be configured with the following options: Network firewalls, TCP/IP networking, IP: forwarding/gatewaying, IP: masquerading. Normally, the most common configuration is to have a machine with a SLIP or PPP connection and to have another network device (for example, an Ethernet card) with a reserved net address. As we have seen and as described in RFC 1918, the following address ranges (IP/Mask) can be used as private IPs:,, The nodes that must be masqueraded will be on this second network. Each of these machines must have the address of the machine that is masquerading such as default gateway or router. On this machine, we can configure:

Consult the references in the unit covering security for information on ipchains and iptables. [Ran05, KD00]