These addresses are selected by the
ip route command
(sec.7.1, p.). F.e.
ip route add nat 220.127.116.11 via 18.104.22.168states that the single address 22.214.171.124 is a dummy NAT address. For all the world it looks like a host address inside our network. For neighbouring hosts and routers it looks like the local address of the translating router. The router answers ARP for it, advertises this address as routed via it, et al. When the router receives a packet destined for 126.96.36.199, it replaces this address with 188.8.131.52 which is the address of some real host and forwards the packet. If you need to remap blocks of addresses, you may use a command like:
ip route add nat 184.108.40.206/26 via 220.127.116.11This command will map a block of 63 addresses 18.104.22.168-255 to 22.214.171.124-127.
When an internal host (126.96.36.199 in the example above) sends something to the outer world and these packets are forwarded by our router, it should translate the source address 188.8.131.52 into 184.108.40.206. This task is solved by setting a special policy rule (sec.8.1, p.):
ip rule add prio 320 from 220.127.116.11 nat 18.104.22.168This rule says that the source address 22.214.171.124 should be translated into 126.96.36.199 before forwarding. It is important that the address after the
natkeyword is some NAT address, declared by ip route add nat. If it is just a random address the router will not map to it. 1cm NB. The exception is when the address is a local address of this router (or 0.0.0.0) and masquerading is configured in the linux-2.2 kernel. In this case the router will masquerade the packets as this address. If 0.0.0.0 is selected, the result is equivalent to one obtained with firewalling rules. Otherwise, you have the way to order Linux to masquerade to this fixed address. NAT mechanism used in linux-2.4 is more flexible than masquerading, so that this feature has lost meaning and disabled.
If the network has non-trivial internal structure, it is useful and even necessary to add rules disabling translation when a packet does not leave this network. Let us return to the example from sec.8.2 (p.).
300: from 188.8.131.52 to 184.108.40.206/24 lookup main 310: from 220.127.116.11 to 18.104.22.168/24 lookup main 320: from 22.214.171.124 lookup inr.ruhep map-to 126.96.36.199This block of rules causes normal forwarding when packets from 188.8.131.52 do not leave networks 193.233.7/24 and 192.203.80/24. Also, if the
inr.ruheptable does not contain a route to the destination (which means that the routing domain owning addresses from 192.203.80/24 is dead), no translation will occur. Otherwise, the packets are translated.