You don't have to have a good memory to remember a time when only large organizations could afford to have a number of computers networked together by a LAN. Today network technology has dropped so much in price that two things have happened. First, LANs are now commonplace, even in many household environments. Certainly many Linux users will have two or more computers connected by some Ethernet. Second, network resources, particularly IP addresses, are now a scarce resource, and while they used to be free, they are now being bought and sold.
Most people with a LAN will probably also want an Internet connection that every computer on the LAN can use. The IP routing rules are strict in how they deal with this situation. Traditional solutions to this problem would have involved requesting an IP network address, perhaps a class C address for small sites, assigning each host on the LAN an address from this network and using a router to connect the LAN to the Internet.
In a commercialized Internet environment, this is an expensive proposition. First, you'd be required to pay for the network addresses that are assigned to you. Second, you'd probably have to pay your Internet Service Provider for the privilege of having a suitable route to your network put in place so that the rest of the Internet knows how to reach you. This might still be practical for companies, but domestic installations don't usually justify the cost.
Fortunately, Linux provides an answer to this dilemma. This answer involves a component of a group of advanced networking features called Network Address Translation (NAT). NAT describes the process of modifying the network addresses (and sometimes port numbers) contained with packet headers while they are in transit. This might sound odd at first, but we'll show that it is ideal for solving the problem we've just described. IP masquerading is the name given to one type of network address translation that allows all of the hosts on a private network to use the Internet at the price of a single dynamic IP address. When the single address is statically assigned, the same functionality goes by the name SNAT (Source NAT). We'll refer to both of these as "masquerading" in what follows.
IP masquerading allows you to use private (non-routable) IP network addresses for your hosts on your LAN and have your Linux-based router perform some clever, real-time translation of IP addresses and ports. When it receives a packet from a computer on the LAN, it takes note of the type of packet it is, (such as TCP, UDP or ICMP) and modifies the packet so that it looks like it was generated by the router host itself (and remembers that it has done so). It then transmits the packet onto the Internet with its single connection IP address. When the destination host receives this packet, it believes the packet has come from the routing host and sends any reply packets back to that address. When the Linux masquerade router receives a packet from its Internet connection, it looks in its table of established masqueraded connections to see if this packet actually belongs to a computer on the LAN, and if it does, it reverses the modification it did on the forward path and transmits the packet to the LAN computer. A simple example is illustrated in Figure 9-1.
We have a small Ethernet network using one of the reserved network addresses. The network has a Linux-based masquerade router providing access to the Internet. One of the workstations on the network (192.168.1.3) wishes to establish a connection to the remote host 209.1.106.178. The workstation routes its packet to the masquerade router, which identifies this connection request as requiring masquerade services. It accepts the packet and allocates a port number to use (1035), substitutes its own IP address and port number for those of the originating host, and transmits the packet to the destination host. The destination host believes it has received a connection request from the Linux masquerade host and generates a reply packet. The masquerade host, on receiving this packet, finds the association in its masquerade table and reverses the substitution it performed on the outgoing packet. It then transmits the reply packet to the originating host.
The local host believes it is speaking directly to the remote host. The remote host knows nothing about the local host at all and believes it has received a connection from the Linux masquerade host. The Linux masquerade host knows these two hosts are speaking to each other, and on what ports, and performs the address and port translations necessary to allow communication.
This might all seem a little confusing, and it can be, but it works and is actually simple to configure. So don't worry if you don't understand all the details yet.