In Linux IP masquerading (also known as NAT,
or PAT) is done by the firewall kernel modules
The original change (for outgoing packets that must be masqueraded)
occurs after the routing decision, while the reverse change
(for arriving packets with the routerís destination IP address)
occurs before the routing decision.
Consider the following diagram:
the request packet from the host will have source,
destination addresses of
When (and if!) the web server sees this packet and replies,
it will use destination address of
But router B wonít know what to do with that packet!
If it forwards it at all (doubtful since this is a private
IP address) this reply packet will go to the wrong place.
Router A will transform the source address to
188.8.131.52 as the packet goes to the Internet.
Router B will have no trouble with the reply to that address.
When Router A receives the server's reply packet from the Internet,
it will transform the destination address back to
iptables command below remember to specify the
interface to the outside world, not the one to your private network!
(In the diagram above, for Router A,
is the interface with IP address of
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # echo 1 > /proc/sys/net/ipv4/ip_forward # cat /proc/net/ip_conntrack # list connections