NAT, masquerade, proxy : some definitions

What is Network Address Translation?

Normally, packets on a network travel from their source (such as your home computer) to their destination (such as through many different links: about 19 from where I am in Australia. None of these links really alter your packet: they just send it onward.

If one of these links were to do NAT, then they would alter the source or destinations of the packet as it passes through. As you can imagine, this is not how the system was designed to work, and hence NAT is always something of a crock. Usually the link doing NAT will remember how it mangled a packet, and when a reply packet passes through the other way, it will do the reverse mangling on that reply packet, so everything works.

Why Would I Want To Do NAT?

In a perfect world, you wouldn't. Meanwhile, the main reasons are :

Modem Connections To The Internet

Most ISPs give you a single IP address when you dial up to them. You can send out packets with any source address you want, but only replies to packets with this source IP address will return to you. If you want to use multiple different machines (such as a home network) to connect to the Internet through this one link, you'll need NAT.

This is by far the most common use of NAT today, commonly known as masquerading in the Linux world. I call this SNAT, because you change the source address of the first packet.

Multiple Servers

Sometimes you want to change where packets heading into your network will go. Frequently this is because (as above), you have only one IP address, but you want people to be able to get into the boxes behind the one with the `real' IP address. If you rewrite the destination of incoming packets, you can manage this. This type of NAT was called port-forwarding under previous versions of Linux.

A common variation of this is load-sharing, where the mapping ranges over a set of machines, fanning packets out to them. If you're doing this on a serious scale, you may want to look at Linux Virtual Server.

Transparent Proxying

Sometimes you want to pretend that each packet which passes through your Linux box is destined for a program on the Linux box itself. This is used to make transparent proxies: a proxy is a program which stands between your network and the outside world, shuffling communication between the two. The transparent part is because your network won't even know it's talking to a proxy, unless of course, the proxy doesn't work.

Squid can be configured to work this way, and it is called redirection or transparent proxying under previous Linux versions.

Source :

How to build a gateway on a Linux system?

  1. Enable packet forwarding:

    echo 1 > /proc/sys/net/ipv4/ip_forward

  2. If need be, load the required kernel modules:

    A "Can't locate module ..." error may only indicate that such module is already built in the kernel, and not available as a module, which is normal.

  3. iptables -A POSTROUTING -t nat -o interface -j MASQUERADE

    The interface is the device on which the other network (Internet) is connected. It can be ppp0, eth0, eth1, ...
  4. Then define the corresponding routes.
  5. If this gateway is dedicated to share an internet connection, a DNS forwarder must also be installed:

Information found on

IP Addresses classes for private networking defined by the RFC 1918

Class Number of hosts Network Id Subnet Mask Prefix Nb of bits for the machine address
A n > 65535 10/8 24
B 255 < n < 65535 from to 172.16/12 20
C n < 255 from to 192.168/16 16

In a prefix, for instance x/y, y is the number of MSB of the binary IP address that refer to the network address.

There is also something exotic called APIPA (for Automatic Private IP Addressing), made on Microsoft's request. Basically, this allows client machines to "auto-configure" their own IP address when they're set to DHCP and no DHCP server appears to be available. An address is chosen in the range : -

with mask :

The APIPA service also checks regularly for the presence of a DHCP server (every five minutes, according to Microsoft). If it detects a DHCP server on the network, APIPA stops, and the DHCP server replaces the APIPA networking addresses with dynamically assigned addresses.
APIPA is meant for nonrouted small business environments, usually less than 25 clients.
See also: