MASQ all ------ 192.168.1.0/24 anywhere n/a
Chain output (policy ACCEPT):
Any rules with a target of MASQ are masquerade rules.
Finally, to list the rules using iptables you need to use:
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy DROP)
target prot opt source destination
MASQUERADE all -- anywhere anywhere MASQUERADE
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Again, masquerade rules appear with a target of MASQUERADE.
Setting Timing Parameters for IP Masquerade
When each new connection is established, the IP masquerade software creates an association in memory between each of the hosts involved in the connection. You can view these associations at any time by looking at the
You can set the timeout values using the ipfwadm command. The general syntax for this is:
ipfwadm -M -s ‹
and for the ipchains command it is:
ipchains -M -S ‹
The
Each of these values represents a timer used by the IP masquerade software and are in units of seconds. The following table summarizes the timers and their meanings:
| Name | Description |
|---|---|
| tcp | TCP session timeout. How long a TCP connection may remain idle before the association for it is removed. |
| tcpfin | TCP timeout after FIN. How long an association will remain after a TCP connection has been disconnected. |
| udp | UDP session timeout. How long a UDP connection may remain idle before the association for it is removed. |
Handling Name Server Lookups
Handling domain name server lookups from the hosts on the LAN with IP masquerading has always presented a problem. There are two ways of accomodating DNS in a masquerade environment. You can tell each of the hosts that they use the same DNS that the Linux router machine does, and let IP masquerade do its magic on their DNS requests. Alternatively, you can run a caching name server on the Linux machine and have each of the hosts on the LAN use the Linux machine as their DNS. Although a more aggressive action, this is probably the better option because it reduces the volume of DNS traffic travelling on the Internet link and will be marginally faster for most requests, since they'll be served from the cache. The downside to this configuration is that it is more complex. 'Caching-only named Configuration' in Chapter 6 describes how to configure a caching name server.
More About Network Address Translation
The
It is possible, for example, to build NAT rules that translate only certain addresses or ranges of addresses and leave all others untouched, or to translate addresses into pools of addresses rather than just a single address, as masquerade does. You can in fact use the iptables command to generate NAT rules that map just about anything, with combinations of matches using any of the standard attributes, such as source address, destination address, protocol type, port number, etc.
Translating the Source Address of a datagram is referred to as 'Source NAT,' or SNAT, in the
The topic of Network Address Translation and its uses warrants at least a whole chapter of its own.[68] Unfortunately we don't have the space in this book to cover it in any greater depth. You should read the IPTABLES-HOWTO for more information, if you're interested in discovering more about how you might use Network Address Translation.
Chapter 12. Important Network Features
