next up previous contents
Next: How to only translate Up: Route NAT status Previous: What it is not:   Contents

How it works.

Some part of the address space is reserved for dummy addresses which will look for all the world like some host addresses inside your network. No other hosts may use these addresses, however other routers may also be configured to translate them. 1cm NB. A great advantage of route NAT is that it may be used not only in stub networks but in environments with arbitrarily complicated structure. It does not firewall, it forwards.

These addresses are selected by the ip route command (sec.7.1, p.[*]). F.e.

  ip route add nat via
states that the single address is a dummy NAT address. For all the world it looks like a host address inside our network. For neighbouring hosts and routers it looks like the local address of the translating router. The router answers ARP for it, advertises this address as routed via it, et al. When the router receives a packet destined for, it replaces this address with which is the address of some real host and forwards the packet. If you need to remap blocks of addresses, you may use a command like:
  ip route add nat via
This command will map a block of 63 addresses to

When an internal host ( in the example above) sends something to the outer world and these packets are forwarded by our router, it should translate the source address into This task is solved by setting a special policy rule (sec.8.1, p.[*]):

  ip rule add prio 320 from nat
This rule says that the source address should be translated into before forwarding. It is important that the address after the nat keyword is some NAT address, declared by ip route add nat. If it is just a random address the router will not map to it. 1cm NB. The exception is when the address is a local address of this router (or and masquerading is configured in the linux-2.2 kernel. In this case the router will masquerade the packets as this address. If is selected, the result is equivalent to one obtained with firewalling rules. Otherwise, you have the way to order Linux to masquerade to this fixed address. NAT mechanism used in linux-2.4 is more flexible than masquerading, so that this feature has lost meaning and disabled.

If the network has non-trivial internal structure, it is useful and even necessary to add rules disabling translation when a packet does not leave this network. Let us return to the example from sec.8.2 (p.[*]).

300:	from to lookup main
310:	from to lookup main
320:	from lookup inr.ruhep map-to
This block of rules causes normal forwarding when packets from do not leave networks 193.233.7/24 and 192.203.80/24. Also, if the inr.ruhep table does not contain a route to the destination (which means that the routing domain owning addresses from 192.203.80/24 is dead), no translation will occur. Otherwise, the packets are translated.

next up previous contents
Next: How to only translate Up: Route NAT status Previous: What it is not:   Contents
Martin A. Brown 2003-03-14