Firewall: Masquerading
Desktop Training - Fedora

Masquerading is assuming you have two network cards, moving traffic from one card to the other and in the process connecting two networks.  The other assumption is that you have an internal network with Private IP Addresses that you will change to an external address on the machine, see the illustration.

Lesson 7 / Lesson 9



In this illustration you can see that you have an internal LAN on a subnet 10.1.1/24 and those IP addresses will be changed to 172.19.19/130/28 which is a Public IP address and is routable on the Internet.  The advantage of masquerading is that from the Internet side you will not know the real IP addresses of the LAN computers, you will only know the Public IP address.

masquerade firewall

The simplest application of NAT is address translation from a more trusted segment to a less trusted segment. The simplest use of NAT with iptables is MASQUERADE.  Here you can see the basic set up with iptables that is created when you use this option with the Firewall GUI.

Using the configuration illustrated, the following command translates the source IP addresses and port numbers of packets passing from the private segment to the public segment.

/sbin/iptables --table nat --append POSTROUTING --source --out-interface eth0 --jump MASQUERADE
The command appends a MASQUERADE rule to the POSTROUTING chain of the nat table causing source addresses of all packets that originate on the network to be translated to the IP address of eth0 as the packets leave that interface. Source port numbers are also translated. The destination addresses and port numbers of reply packets are translated back to the IP addresses and port numbers of the originating private segment hosts as illustrated in Figure 8-2.

The following command line shows an abbreviated form of the command.

/sbin/iptables -t nat -A POSTROUTING -s -o eth0 -j MASQ
Other abbreviations include --src for --source and --out for –out-interface.


Enable Forwarding
A common mistake is to forget to modify the ip_forward setting in the /proc directory as it allows traffic to move from one network card to another on the firewall machine.  The following command will enable forwarding.

echo 1 > /proc/sys/net/ipv4/ip_forward

To make this setting permanent you should edit /etc/sysctl.conf and change the “0” to a “1” and it will be enabled permanently.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

Create a Simple MASQUERADE Script
/sbin/iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT