These addresses are selected by the
ip route command
(sec.7.1, p.). F.e.
ip route add nat 188.8.131.52 via 184.108.40.206states that the single address 220.127.116.11 is a dummy NAT address. For all the world it looks like a host address inside our network. For neighbouring hosts and routers it looks like the local address of the translating router. The router answers ARP for it, advertises this address as routed via it, et al. When the router receives a packet destined for 18.104.22.168, it replaces this address with 22.214.171.124 which is the address of some real host and forwards the packet. If you need to remap blocks of addresses, you may use a command like:
ip route add nat 126.96.36.199/26 via 188.8.131.52This command will map a block of 63 addresses 184.108.40.206-255 to 220.127.116.11-127.
When an internal host (18.104.22.168 in the example above) sends something to the outer world and these packets are forwarded by our router, it should translate the source address 22.214.171.124 into 126.96.36.199. This task is solved by setting a special policy rule (sec.8.1, p.):
ip rule add prio 320 from 188.8.131.52 nat 184.108.40.206This rule says that the source address 220.127.116.11 should be translated into 18.104.22.168 before forwarding. It is important that the address after the
natkeyword is some NAT address, declared by ip route add nat. If it is just a random address the router will not map to it. 1cm NB. The exception is when the address is a local address of this router (or 0.0.0.0) and masquerading is configured in the linux-2.2 kernel. In this case the router will masquerade the packets as this address. If 0.0.0.0 is selected, the result is equivalent to one obtained with firewalling rules. Otherwise, you have the way to order Linux to masquerade to this fixed address. NAT mechanism used in linux-2.4 is more flexible than masquerading, so that this feature has lost meaning and disabled.
If the network has non-trivial internal structure, it is useful and even necessary to add rules disabling translation when a packet does not leave this network. Let us return to the example from sec.8.2 (p.).
300: from 22.214.171.124 to 126.96.36.199/24 lookup main 310: from 188.8.131.52 to 184.108.40.206/24 lookup main 320: from 220.127.116.11 lookup inr.ruhep map-to 18.104.22.168This block of rules causes normal forwarding when packets from 22.214.171.124 do not leave networks 193.233.7/24 and 192.203.80/24. Also, if the
inr.ruheptable does not contain a route to the destination (which means that the routing domain owning addresses from 192.203.80/24 is dead), no translation will occur. Otherwise, the packets are translated.