These addresses are selected by the
ip route command
(sec.7.1, p.). F.e.
ip route add nat 18.104.22.168 via 22.214.171.124states that the single address 126.96.36.199 is a dummy NAT address. For all the world it looks like a host address inside our network. For neighbouring hosts and routers it looks like the local address of the translating router. The router answers ARP for it, advertises this address as routed via it, et al. When the router receives a packet destined for 188.8.131.52, it replaces this address with 184.108.40.206 which is the address of some real host and forwards the packet. If you need to remap blocks of addresses, you may use a command like:
ip route add nat 220.127.116.11/26 via 18.104.22.168This command will map a block of 63 addresses 22.214.171.124-255 to 126.96.36.199-127.
When an internal host (188.8.131.52 in the example above) sends something to the outer world and these packets are forwarded by our router, it should translate the source address 184.108.40.206 into 220.127.116.11. This task is solved by setting a special policy rule (sec.8.1, p.):
ip rule add prio 320 from 18.104.22.168 nat 22.214.171.124This rule says that the source address 126.96.36.199 should be translated into 188.8.131.52 before forwarding. It is important that the address after the
natkeyword is some NAT address, declared by ip route add nat. If it is just a random address the router will not map to it. 1cm NB. The exception is when the address is a local address of this router (or 0.0.0.0) and masquerading is configured in the linux-2.2 kernel. In this case the router will masquerade the packets as this address. If 0.0.0.0 is selected, the result is equivalent to one obtained with firewalling rules. Otherwise, you have the way to order Linux to masquerade to this fixed address. NAT mechanism used in linux-2.4 is more flexible than masquerading, so that this feature has lost meaning and disabled.
If the network has non-trivial internal structure, it is useful and even necessary to add rules disabling translation when a packet does not leave this network. Let us return to the example from sec.8.2 (p.).
300: from 184.108.40.206 to 220.127.116.11/24 lookup main 310: from 18.104.22.168 to 22.214.171.124/24 lookup main 320: from 126.96.36.199 lookup inr.ruhep map-to 188.8.131.52This block of rules causes normal forwarding when packets from 184.108.40.206 do not leave networks 193.233.7/24 and 192.203.80/24. Also, if the
inr.ruheptable does not contain a route to the destination (which means that the routing domain owning addresses from 192.203.80/24 is dead), no translation will occur. Otherwise, the packets are translated.