What is MASQUERADE in the context of iptables?Two Network cards and ip forwardingForward port to local ip + portAccess VPN from home is fine but not outside via 3GRouting and Ip setupHow to use my ubuntu server as router?Masquerade over USB Ethernet ProblemWhat iptables rules are needed to allow an nfs share on 16.04?Ubuntu 16.04. Iptables on postrouting do not recognize docker0 bridgeubuntu iptables NAT & Router & Port ForwardingStuck on “Setting up VPN Linux Tutorial”: replace “eth0” with the internet connection from server16.04 iptables NAT weird behavior keeps working when removedShould iptables do source NAT on invalid TCP packets?
What does War Machine's "Canopy! Canopy!" line mean in "Avengers: Endgame"?
Self referencing scalar function nesting level exceeded when adding a select
How do I get a cleat that's stuck in a pedal, detached from the shoe, out?
What people are called boars ("кабан") and why?
Applicants clearly not having the skills they advertise
Can an old DSLR be upgraded to match modern smartphone image quality
Is there any Biblical Basis for 400 years of silence between Old and New Testament?
Accidentally cashed a check twice
Why were the Night's Watch required to be celibate?
When to clean out old bird boxes?
What if you don't bring your credit card or debit for incidentals?
Credit card offering 0.5 miles for every cent rounded up. Too good to be true?
Asking bank to reduce APR instead of increasing credit limit
Relativistic resistance transformation
Is American Express widely accepted in France?
The qvolume of an integer
How much current can Baofeng UV-5R provide on +V pin?
If a problem only occurs randomly once in every N times on average, how many tests do I have to perform to be certain that it's now fixed?
Why does charmonium (and phi mesons) not decay via quark and antiquark annihilation?
How did rebel fighters get past the Scarif shield?
How do I get a list of only the files (not the directories) from a package?
Explain Ant-Man's "not it" scene from Avengers: Endgame
Is it OK to bring delicacies from hometown as tokens of gratitude for an out-of-town interview?
Can a helicopter mask itself from radar?
What is MASQUERADE in the context of iptables?
Two Network cards and ip forwardingForward port to local ip + portAccess VPN from home is fine but not outside via 3GRouting and Ip setupHow to use my ubuntu server as router?Masquerade over USB Ethernet ProblemWhat iptables rules are needed to allow an nfs share on 16.04?Ubuntu 16.04. Iptables on postrouting do not recognize docker0 bridgeubuntu iptables NAT & Router & Port ForwardingStuck on “Setting up VPN Linux Tutorial”: replace “eth0” with the internet connection from server16.04 iptables NAT weird behavior keeps working when removedShould iptables do source NAT on invalid TCP packets?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
In iptables many times I see the target MASQUERADE. What is that? I searched and found lots of things. But I need someone to explain to me what MASQUERADE is in an easy to understand way?
An example (taken from this answer) is:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
networking firewall iptables
edited Dec 14 '17 at 19:15
Bruno Bronosky
51349
asked May 15 '14 at 16:07
Mohammad Reza RezwaniMohammad Reza Rezwani
3,7692563110
add a comment |
In iptables many times I see the target MASQUERADE. What is that? I searched and found lots of things. But I need someone to explain to me what MASQUERADE is in an easy to understand way?
An example (taken from this answer) is:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
networking firewall iptables
edited Dec 14 '17 at 19:15
Bruno Bronosky
51349
asked May 15 '14 at 16:07
Mohammad Reza RezwaniMohammad Reza Rezwani
3,7692563110
add a comment |
In iptables many times I see the target MASQUERADE. What is that? I searched and found lots of things. But I need someone to explain to me what MASQUERADE is in an easy to understand way?
An example (taken from this answer) is:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
networking firewall iptables
edited Dec 14 '17 at 19:15
Bruno Bronosky
51349
asked May 15 '14 at 16:07
Mohammad Reza RezwaniMohammad Reza Rezwani
3,7692563110
In iptables many times I see the target MASQUERADE. What is that? I searched and found lots of things. But I need someone to explain to me what MASQUERADE is in an easy to understand way?
An example (taken from this answer) is:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
networking firewall iptables
networking firewall iptables
edited Dec 14 '17 at 19:15
Bruno Bronosky
51349
asked May 15 '14 at 16:07
Mohammad Reza RezwaniMohammad Reza Rezwani
3,7692563110
edited Dec 14 '17 at 19:15
Bruno Bronosky
51349
asked May 15 '14 at 16:07
Mohammad Reza RezwaniMohammad Reza Rezwani
3,7692563110
edited Dec 14 '17 at 19:15
Bruno Bronosky
51349
edited Dec 14 '17 at 19:15
Bruno Bronosky
51349
edited Dec 14 '17 at 19:15
Bruno Bronosky
51349
51349
asked May 15 '14 at 16:07
Mohammad Reza RezwaniMohammad Reza Rezwani
3,7692563110
asked May 15 '14 at 16:07
Mohammad Reza RezwaniMohammad Reza Rezwani
3,7692563110
asked May 15 '14 at 16:07
Mohammad Reza RezwaniMohammad Reza Rezwani
3,7692563110
3,7692563110
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
It is an algorithm dependant on the iptables implementation that allows one to route traffic without disrupting the original traffic.
I use the masquerade algorithm when I want to create a virtual wifi adapter and share my wifi.
Im NOT talking about sharing Ethernet connection through your wifi, Im talking about sharing the wifi connection through your wifi via masquerading it to a virtual adapter. This in effect lets you share your wifi connection through wifi.
.
.
Read this and scroll down to MASQUERADE: http://billauer.co.il/ipmasq-html.html
Read this for more in depth: http://oreilly.com/openbook/linag2/book/ch11.html
All those questions about "Connectify for linux" can be solved by implementing the MASQUERADE algo.
For a direct example visit this page: http://pritambaral.com/2012/05/connectify-for-linux-wireless-hotspot/
I HAVE NOT READ THE LAST LINK!!!! But the following is an accurate excerpt/example.
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -A FORWARD -i wlan0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I really dislike how search engines make the algorithm out to be some evil type of hack.. I use it merely so share my internet with my android phones.
FINAL EDIT: this link is the bestest http://gsp.com/cgi-bin/man.cgi?section=3&topic=libalias
answered May 15 '14 at 16:15
Banned_UserBanned_User
7431815
like your first link that was --exactly-- what I am looking for :)
– Mohammad Reza Rezwani
May 15 '14 at 16:29
add a comment |
MASQUERADE is an iptables target that can be used instead of SNAT target (source NAT) when external ip of the inet interface is not known at the moment of writing the rule (when server gets external ip dynamically).
answered May 15 '14 at 16:21
Sergey P. aka azureSergey P. aka azure
1,116911
What should be used when the IP address is known?
– Luc
Nov 28 '16 at 8:55
4
@Luc, SNAT target (source network address translation) with defining source ip that should be placed instead of original source ip in the ip packet from original host. Like this-j SNAT --to-source xx.xx.xx.xxwhere xx.xx.xx.xx is the external ip of the desired interface. And I can't say that it should be used when external ip is known. I'd prefer to use MASQUERADE instead of SNAT to make rules flexible and not bound to specific external ip that I have at the moment.
– Sergey P. aka azure
Dec 6 '16 at 10:08
add a comment |
IP Masquerade is also known as Network Address Translation (NAT) and Network Connection Sharing some other popular operating systems. It is basically a method for allowing a computer that doesn't have a public Internet wide IP address communicate with other computers on the Internet with the help of another computer sitting inbetween it and the Internet.
As you know IP address are used on the Internet to identify machines. Given a packet with an IP address, every router that makes up the Internet knows where to send that packet to get it to its destination. Now, there are also a few ranges of IP addresses that have been reserved for private use inside Local Area Networks and other networks that are not directly connected to the Internet. These private addresses are guaranteed not to be in use on the public Internet.
This causes problems for machines that are connected to private networks are use private IP addresses, because they can't be connected directly to the Internet. They don't have an IP address that is allowed to be used on the public Internet. IP Masquerade solves this problem by allowing a machine with a private IP address to communicate with the Internet, while at the same time modifying the machine's packets to use a valid public IP address instead of the original private IP address. Packets returning from the Internet are modified back to use the original IP address before reaching private IP machine.
Note that this is not limited to the internet network masquerade/NAT can be used to route traffic from one network to an other let say 10.0.0.0/24 and 192.168.0.0/24
Iptables masquerade rule can be replaced with SNAT rule
iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.0/24 -j MASQUERADE
=
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth2 -j SNAT --to-source 192.168.1.2
# supposing eth2 assigned ip is 192.168.1.2
Both masquerade and snat require ip_forward enabled at the kernel level with echo "1" > /proc/sys/net/ipv4/ip_forward or permanently by editing the settings file nano /etc/sysctl.conf.
IP Forward makes the machine act like a router and thus redirect/forward packets from all active interface logically by the targeted network (local/net/other/etc) or by following the route table. Note that enabling ip_forward may introduce important security risk, if ip_forward can not be avoided, it needs to be supervised/secured by additional iptables/route rules.
answered Apr 14 at 19:56
intikaintika
32027
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f466445%2fwhat-is-masquerade-in-the-context-of-iptables%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
It is an algorithm dependant on the iptables implementation that allows one to route traffic without disrupting the original traffic.
I use the masquerade algorithm when I want to create a virtual wifi adapter and share my wifi.
Im NOT talking about sharing Ethernet connection through your wifi, Im talking about sharing the wifi connection through your wifi via masquerading it to a virtual adapter. This in effect lets you share your wifi connection through wifi.
.
.
Read this and scroll down to MASQUERADE: http://billauer.co.il/ipmasq-html.html
Read this for more in depth: http://oreilly.com/openbook/linag2/book/ch11.html
All those questions about "Connectify for linux" can be solved by implementing the MASQUERADE algo.
For a direct example visit this page: http://pritambaral.com/2012/05/connectify-for-linux-wireless-hotspot/
I HAVE NOT READ THE LAST LINK!!!! But the following is an accurate excerpt/example.
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -A FORWARD -i wlan0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I really dislike how search engines make the algorithm out to be some evil type of hack.. I use it merely so share my internet with my android phones.
FINAL EDIT: this link is the bestest http://gsp.com/cgi-bin/man.cgi?section=3&topic=libalias
answered May 15 '14 at 16:15
Banned_UserBanned_User
7431815
like your first link that was --exactly-- what I am looking for :)
– Mohammad Reza Rezwani
May 15 '14 at 16:29
add a comment |
It is an algorithm dependant on the iptables implementation that allows one to route traffic without disrupting the original traffic.
I use the masquerade algorithm when I want to create a virtual wifi adapter and share my wifi.
Im NOT talking about sharing Ethernet connection through your wifi, Im talking about sharing the wifi connection through your wifi via masquerading it to a virtual adapter. This in effect lets you share your wifi connection through wifi.
.
.
Read this and scroll down to MASQUERADE: http://billauer.co.il/ipmasq-html.html
Read this for more in depth: http://oreilly.com/openbook/linag2/book/ch11.html
All those questions about "Connectify for linux" can be solved by implementing the MASQUERADE algo.
For a direct example visit this page: http://pritambaral.com/2012/05/connectify-for-linux-wireless-hotspot/
I HAVE NOT READ THE LAST LINK!!!! But the following is an accurate excerpt/example.
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -A FORWARD -i wlan0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I really dislike how search engines make the algorithm out to be some evil type of hack.. I use it merely so share my internet with my android phones.
FINAL EDIT: this link is the bestest http://gsp.com/cgi-bin/man.cgi?section=3&topic=libalias
answered May 15 '14 at 16:15
Banned_UserBanned_User
7431815
like your first link that was --exactly-- what I am looking for :)
– Mohammad Reza Rezwani
May 15 '14 at 16:29
add a comment |
It is an algorithm dependant on the iptables implementation that allows one to route traffic without disrupting the original traffic.
I use the masquerade algorithm when I want to create a virtual wifi adapter and share my wifi.
Im NOT talking about sharing Ethernet connection through your wifi, Im talking about sharing the wifi connection through your wifi via masquerading it to a virtual adapter. This in effect lets you share your wifi connection through wifi.
.
.
Read this and scroll down to MASQUERADE: http://billauer.co.il/ipmasq-html.html
Read this for more in depth: http://oreilly.com/openbook/linag2/book/ch11.html
All those questions about "Connectify for linux" can be solved by implementing the MASQUERADE algo.
For a direct example visit this page: http://pritambaral.com/2012/05/connectify-for-linux-wireless-hotspot/
I HAVE NOT READ THE LAST LINK!!!! But the following is an accurate excerpt/example.
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -A FORWARD -i wlan0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I really dislike how search engines make the algorithm out to be some evil type of hack.. I use it merely so share my internet with my android phones.
FINAL EDIT: this link is the bestest http://gsp.com/cgi-bin/man.cgi?section=3&topic=libalias
answered May 15 '14 at 16:15
Banned_UserBanned_User
7431815
It is an algorithm dependant on the iptables implementation that allows one to route traffic without disrupting the original traffic.
I use the masquerade algorithm when I want to create a virtual wifi adapter and share my wifi.
Im NOT talking about sharing Ethernet connection through your wifi, Im talking about sharing the wifi connection through your wifi via masquerading it to a virtual adapter. This in effect lets you share your wifi connection through wifi.
.
.
Read this and scroll down to MASQUERADE: http://billauer.co.il/ipmasq-html.html
Read this for more in depth: http://oreilly.com/openbook/linag2/book/ch11.html
All those questions about "Connectify for linux" can be solved by implementing the MASQUERADE algo.
For a direct example visit this page: http://pritambaral.com/2012/05/connectify-for-linux-wireless-hotspot/
I HAVE NOT READ THE LAST LINK!!!! But the following is an accurate excerpt/example.
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -A FORWARD -i wlan0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I really dislike how search engines make the algorithm out to be some evil type of hack.. I use it merely so share my internet with my android phones.
FINAL EDIT: this link is the bestest http://gsp.com/cgi-bin/man.cgi?section=3&topic=libalias
answered May 15 '14 at 16:15
Banned_UserBanned_User
7431815
edited May 15 '14 at 16:37
answered May 15 '14 at 16:15
Banned_UserBanned_User
7431815
answered May 15 '14 at 16:15
Banned_UserBanned_User
7431815
answered May 15 '14 at 16:15
Banned_UserBanned_User
7431815
7431815
like your first link that was --exactly-- what I am looking for :)
– Mohammad Reza Rezwani
May 15 '14 at 16:29
add a comment |
like your first link that was --exactly-- what I am looking for :)
– Mohammad Reza Rezwani
May 15 '14 at 16:29
like your first link that was --exactly-- what I am looking for :)
– Mohammad Reza Rezwani
May 15 '14 at 16:29
like your first link that was --exactly-- what I am looking for :)
– Mohammad Reza Rezwani
May 15 '14 at 16:29
add a comment |
MASQUERADE is an iptables target that can be used instead of SNAT target (source NAT) when external ip of the inet interface is not known at the moment of writing the rule (when server gets external ip dynamically).
answered May 15 '14 at 16:21
Sergey P. aka azureSergey P. aka azure
1,116911
What should be used when the IP address is known?
– Luc
Nov 28 '16 at 8:55
4
@Luc, SNAT target (source network address translation) with defining source ip that should be placed instead of original source ip in the ip packet from original host. Like this-j SNAT --to-source xx.xx.xx.xxwhere xx.xx.xx.xx is the external ip of the desired interface. And I can't say that it should be used when external ip is known. I'd prefer to use MASQUERADE instead of SNAT to make rules flexible and not bound to specific external ip that I have at the moment.
– Sergey P. aka azure
Dec 6 '16 at 10:08
add a comment |
MASQUERADE is an iptables target that can be used instead of SNAT target (source NAT) when external ip of the inet interface is not known at the moment of writing the rule (when server gets external ip dynamically).
answered May 15 '14 at 16:21
Sergey P. aka azureSergey P. aka azure
1,116911
What should be used when the IP address is known?
– Luc
Nov 28 '16 at 8:55
4
@Luc, SNAT target (source network address translation) with defining source ip that should be placed instead of original source ip in the ip packet from original host. Like this-j SNAT --to-source xx.xx.xx.xxwhere xx.xx.xx.xx is the external ip of the desired interface. And I can't say that it should be used when external ip is known. I'd prefer to use MASQUERADE instead of SNAT to make rules flexible and not bound to specific external ip that I have at the moment.
– Sergey P. aka azure
Dec 6 '16 at 10:08
add a comment |
MASQUERADE is an iptables target that can be used instead of SNAT target (source NAT) when external ip of the inet interface is not known at the moment of writing the rule (when server gets external ip dynamically).
answered May 15 '14 at 16:21
Sergey P. aka azureSergey P. aka azure
1,116911
MASQUERADE is an iptables target that can be used instead of SNAT target (source NAT) when external ip of the inet interface is not known at the moment of writing the rule (when server gets external ip dynamically).
answered May 15 '14 at 16:21
Sergey P. aka azureSergey P. aka azure
1,116911
answered May 15 '14 at 16:21
Sergey P. aka azureSergey P. aka azure
1,116911
answered May 15 '14 at 16:21
Sergey P. aka azureSergey P. aka azure
1,116911
answered May 15 '14 at 16:21
Sergey P. aka azureSergey P. aka azure
1,116911
1,116911
What should be used when the IP address is known?
– Luc
Nov 28 '16 at 8:55
4
@Luc, SNAT target (source network address translation) with defining source ip that should be placed instead of original source ip in the ip packet from original host. Like this-j SNAT --to-source xx.xx.xx.xxwhere xx.xx.xx.xx is the external ip of the desired interface. And I can't say that it should be used when external ip is known. I'd prefer to use MASQUERADE instead of SNAT to make rules flexible and not bound to specific external ip that I have at the moment.
– Sergey P. aka azure
Dec 6 '16 at 10:08
add a comment |
What should be used when the IP address is known?
– Luc
Nov 28 '16 at 8:55
4
@Luc, SNAT target (source network address translation) with defining source ip that should be placed instead of original source ip in the ip packet from original host. Like this-j SNAT --to-source xx.xx.xx.xxwhere xx.xx.xx.xx is the external ip of the desired interface. And I can't say that it should be used when external ip is known. I'd prefer to use MASQUERADE instead of SNAT to make rules flexible and not bound to specific external ip that I have at the moment.
– Sergey P. aka azure
Dec 6 '16 at 10:08
What should be used when the IP address is known?
– Luc
Nov 28 '16 at 8:55
What should be used when the IP address is known?
– Luc
Nov 28 '16 at 8:55
4
4
@Luc, SNAT target (source network address translation) with defining source ip that should be placed instead of original source ip in the ip packet from original host. Like this
-j SNAT --to-source xx.xx.xx.xx where xx.xx.xx.xx is the external ip of the desired interface. And I can't say that it should be used when external ip is known. I'd prefer to use MASQUERADE instead of SNAT to make rules flexible and not bound to specific external ip that I have at the moment.– Sergey P. aka azure
Dec 6 '16 at 10:08
@Luc, SNAT target (source network address translation) with defining source ip that should be placed instead of original source ip in the ip packet from original host. Like this
-j SNAT --to-source xx.xx.xx.xx where xx.xx.xx.xx is the external ip of the desired interface. And I can't say that it should be used when external ip is known. I'd prefer to use MASQUERADE instead of SNAT to make rules flexible and not bound to specific external ip that I have at the moment.– Sergey P. aka azure
Dec 6 '16 at 10:08
add a comment |
IP Masquerade is also known as Network Address Translation (NAT) and Network Connection Sharing some other popular operating systems. It is basically a method for allowing a computer that doesn't have a public Internet wide IP address communicate with other computers on the Internet with the help of another computer sitting inbetween it and the Internet.
As you know IP address are used on the Internet to identify machines. Given a packet with an IP address, every router that makes up the Internet knows where to send that packet to get it to its destination. Now, there are also a few ranges of IP addresses that have been reserved for private use inside Local Area Networks and other networks that are not directly connected to the Internet. These private addresses are guaranteed not to be in use on the public Internet.
This causes problems for machines that are connected to private networks are use private IP addresses, because they can't be connected directly to the Internet. They don't have an IP address that is allowed to be used on the public Internet. IP Masquerade solves this problem by allowing a machine with a private IP address to communicate with the Internet, while at the same time modifying the machine's packets to use a valid public IP address instead of the original private IP address. Packets returning from the Internet are modified back to use the original IP address before reaching private IP machine.
Note that this is not limited to the internet network masquerade/NAT can be used to route traffic from one network to an other let say 10.0.0.0/24 and 192.168.0.0/24
Iptables masquerade rule can be replaced with SNAT rule
iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.0/24 -j MASQUERADE
=
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth2 -j SNAT --to-source 192.168.1.2
# supposing eth2 assigned ip is 192.168.1.2
Both masquerade and snat require ip_forward enabled at the kernel level with echo "1" > /proc/sys/net/ipv4/ip_forward or permanently by editing the settings file nano /etc/sysctl.conf.
IP Forward makes the machine act like a router and thus redirect/forward packets from all active interface logically by the targeted network (local/net/other/etc) or by following the route table. Note that enabling ip_forward may introduce important security risk, if ip_forward can not be avoided, it needs to be supervised/secured by additional iptables/route rules.
answered Apr 14 at 19:56
intikaintika
32027
add a comment |
IP Masquerade is also known as Network Address Translation (NAT) and Network Connection Sharing some other popular operating systems. It is basically a method for allowing a computer that doesn't have a public Internet wide IP address communicate with other computers on the Internet with the help of another computer sitting inbetween it and the Internet.
As you know IP address are used on the Internet to identify machines. Given a packet with an IP address, every router that makes up the Internet knows where to send that packet to get it to its destination. Now, there are also a few ranges of IP addresses that have been reserved for private use inside Local Area Networks and other networks that are not directly connected to the Internet. These private addresses are guaranteed not to be in use on the public Internet.
This causes problems for machines that are connected to private networks are use private IP addresses, because they can't be connected directly to the Internet. They don't have an IP address that is allowed to be used on the public Internet. IP Masquerade solves this problem by allowing a machine with a private IP address to communicate with the Internet, while at the same time modifying the machine's packets to use a valid public IP address instead of the original private IP address. Packets returning from the Internet are modified back to use the original IP address before reaching private IP machine.
Note that this is not limited to the internet network masquerade/NAT can be used to route traffic from one network to an other let say 10.0.0.0/24 and 192.168.0.0/24
Iptables masquerade rule can be replaced with SNAT rule
iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.0/24 -j MASQUERADE
=
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth2 -j SNAT --to-source 192.168.1.2
# supposing eth2 assigned ip is 192.168.1.2
Both masquerade and snat require ip_forward enabled at the kernel level with echo "1" > /proc/sys/net/ipv4/ip_forward or permanently by editing the settings file nano /etc/sysctl.conf.
IP Forward makes the machine act like a router and thus redirect/forward packets from all active interface logically by the targeted network (local/net/other/etc) or by following the route table. Note that enabling ip_forward may introduce important security risk, if ip_forward can not be avoided, it needs to be supervised/secured by additional iptables/route rules.
answered Apr 14 at 19:56
intikaintika
32027
add a comment |
IP Masquerade is also known as Network Address Translation (NAT) and Network Connection Sharing some other popular operating systems. It is basically a method for allowing a computer that doesn't have a public Internet wide IP address communicate with other computers on the Internet with the help of another computer sitting inbetween it and the Internet.
As you know IP address are used on the Internet to identify machines. Given a packet with an IP address, every router that makes up the Internet knows where to send that packet to get it to its destination. Now, there are also a few ranges of IP addresses that have been reserved for private use inside Local Area Networks and other networks that are not directly connected to the Internet. These private addresses are guaranteed not to be in use on the public Internet.
This causes problems for machines that are connected to private networks are use private IP addresses, because they can't be connected directly to the Internet. They don't have an IP address that is allowed to be used on the public Internet. IP Masquerade solves this problem by allowing a machine with a private IP address to communicate with the Internet, while at the same time modifying the machine's packets to use a valid public IP address instead of the original private IP address. Packets returning from the Internet are modified back to use the original IP address before reaching private IP machine.
Note that this is not limited to the internet network masquerade/NAT can be used to route traffic from one network to an other let say 10.0.0.0/24 and 192.168.0.0/24
Iptables masquerade rule can be replaced with SNAT rule
iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.0/24 -j MASQUERADE
=
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth2 -j SNAT --to-source 192.168.1.2
# supposing eth2 assigned ip is 192.168.1.2
Both masquerade and snat require ip_forward enabled at the kernel level with echo "1" > /proc/sys/net/ipv4/ip_forward or permanently by editing the settings file nano /etc/sysctl.conf.
IP Forward makes the machine act like a router and thus redirect/forward packets from all active interface logically by the targeted network (local/net/other/etc) or by following the route table. Note that enabling ip_forward may introduce important security risk, if ip_forward can not be avoided, it needs to be supervised/secured by additional iptables/route rules.
answered Apr 14 at 19:56
intikaintika
32027
IP Masquerade is also known as Network Address Translation (NAT) and Network Connection Sharing some other popular operating systems. It is basically a method for allowing a computer that doesn't have a public Internet wide IP address communicate with other computers on the Internet with the help of another computer sitting inbetween it and the Internet.
As you know IP address are used on the Internet to identify machines. Given a packet with an IP address, every router that makes up the Internet knows where to send that packet to get it to its destination. Now, there are also a few ranges of IP addresses that have been reserved for private use inside Local Area Networks and other networks that are not directly connected to the Internet. These private addresses are guaranteed not to be in use on the public Internet.
This causes problems for machines that are connected to private networks are use private IP addresses, because they can't be connected directly to the Internet. They don't have an IP address that is allowed to be used on the public Internet. IP Masquerade solves this problem by allowing a machine with a private IP address to communicate with the Internet, while at the same time modifying the machine's packets to use a valid public IP address instead of the original private IP address. Packets returning from the Internet are modified back to use the original IP address before reaching private IP machine.
Note that this is not limited to the internet network masquerade/NAT can be used to route traffic from one network to an other let say 10.0.0.0/24 and 192.168.0.0/24
Iptables masquerade rule can be replaced with SNAT rule
iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.0/24 -j MASQUERADE
=
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth2 -j SNAT --to-source 192.168.1.2
# supposing eth2 assigned ip is 192.168.1.2
Both masquerade and snat require ip_forward enabled at the kernel level with echo "1" > /proc/sys/net/ipv4/ip_forward or permanently by editing the settings file nano /etc/sysctl.conf.
IP Forward makes the machine act like a router and thus redirect/forward packets from all active interface logically by the targeted network (local/net/other/etc) or by following the route table. Note that enabling ip_forward may introduce important security risk, if ip_forward can not be avoided, it needs to be supervised/secured by additional iptables/route rules.
answered Apr 14 at 19:56
intikaintika
32027
edited Apr 16 at 16:47
answered Apr 14 at 19:56
intikaintika
32027
answered Apr 14 at 19:56
intikaintika
32027
answered Apr 14 at 19:56
intikaintika
32027
32027
add a comment |
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f466445%2fwhat-is-masquerade-in-the-context-of-iptables%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
