لطفا منتظر باشید ...
Chapter 9. IP Masquerade and Network Address Translation
You
don't have to have a good memory to remember a time
when only large organizations could afford to have a number of
computers networked together by a LAN. Today network technology has
dropped so much in price that two things have happened. First, LANs
are now commonplace, even in many household environments. Certainly
many Linux users will have two or more computers connected by some
Ethernet. Second, network resources, particularly IP addresses, are
now a scarce resource, and while they used to be free, they are now
being bought and sold.Most people with a LAN will probably also
want an Internet connection that every computer on the LAN can use.
The IP routing rules are strict in how they deal with this situation.
Traditional solutions to this problem would have involved requesting
an IP network address, perhaps a class C address for small sites,
assigning each host on the LAN an address from this network and using
a router to connect the LAN to the Internet.In a commercialized Internet
environment, this is an expensive proposition. First,
you'd be required to pay for the network addresses
that are assigned to you. Second, you'd probably
have to pay your Internet Service Provider for the privilege of
having a suitable route to your network put in place so that the rest
of the Internet knows how to reach you. This might still be practical
for companies, but domestic installations don't
usually justify the cost. Fortunately, Linux provides an answer to
this dilemma. This answer involves a component of a group of advanced
networking features called Network
Address Translation (NAT).
NAT describes the process of modifying the network addresses (and
sometimes port numbers) contained with packet headers while they are
in transit. This might sound odd at first, but we'll
show that it is ideal for solving the problem we've
just described. IP masquerading is the name
given to one type of network address translation that allows all of
the hosts on a private network to use the Internet at the price of a
single dynamic IP address. When the single address is statically
assigned, the same functionality goes by the name SNAT
(Source NAT). We'll refer to
both of these as "masquerading" in
what follows.IP masquerading allows you to use private
(non-routable) IP network addresses for your hosts on your LAN and
have your Linux-based router perform some clever, real-time
translation of IP addresses and ports. When it receives a packet from
a computer on the LAN, it takes note of the type of packet it is,
(such as TCP, UDP or ICMP) and modifies the packet so that it looks
like it was generated by the router host itself (and remembers that
it has done so). It then transmits the packet onto the Internet with
its single connection IP address. When the destination host receives
this packet, it believes the packet has come from the routing host
and sends any reply packets back to that address. When the Linux
masquerade router receives a packet from its Internet connection, it
looks in its table of established masqueraded connections to see if
this packet actually belongs to a computer on the LAN, and if it
does, it reverses the modification it did on the forward path and
transmits the packet to the LAN computer. A simple example is
illustrated in Figure 9-1.
Figure 9-1. A typical IP masquerade configuration
of the reserved network addresses. The network has a Linux-based
masquerade router providing access to the Internet. One of the
workstations on the network (192.168.1.3) wishes to establish a connection
to the remote host 209.1.106.178.
The workstation routes its packet to the masquerade router, which
identifies this connection request as requiring masquerade services.
It accepts the packet and allocates a port number to use (1035),
substitutes its own IP address and port number for those of the
originating host, and transmits the packet to the destination host.
The destination host believes it has received a connection request
from the Linux masquerade host and generates a reply packet. The
masquerade host, on receiving this packet, finds the association in
its masquerade table and reverses the substitution it performed on
the outgoing packet. It then transmits the reply packet to the
originating host.The local host believes it is speaking
directly to the remote host. The remote host knows nothing about the
local host at all and believes it has received a connection from the
Linux masquerade host. The Linux masquerade host knows these two
hosts are speaking to each other, and on what ports, and performs the
address and port translations necessary to allow communication.This might all seem a little confusing, and it can be, but it works
and is actually simple to configure. So don't worry
if you don't understand all the details yet.
