These addresses are selected by the
ip route command
(sec.7.1, p.). F.e.
ip route add nat 126.96.36.199 via 188.8.131.52states that the single address 184.108.40.206 is a dummy NAT address. For all the world it looks like a host address inside our network. For neighbouring hosts and routers it looks like the local address of the translating router. The router answers ARP for it, advertises this address as routed via it, et al. When the router receives a packet destined for 220.127.116.11, it replaces this address with 18.104.22.168 which is the address of some real host and forwards the packet. If you need to remap blocks of addresses, you may use a command like:
ip route add nat 22.214.171.124/26 via 126.96.36.199This command will map a block of 63 addresses 188.8.131.52-255 to 184.108.40.206-127.
When an internal host (220.127.116.11 in the example above) sends something to the outer world and these packets are forwarded by our router, it should translate the source address 18.104.22.168 into 22.214.171.124. This task is solved by setting a special policy rule (sec.8.1, p.):
ip rule add prio 320 from 126.96.36.199 nat 188.8.131.52This rule says that the source address 184.108.40.206 should be translated into 220.127.116.11 before forwarding. It is important that the address after the
natkeyword is some NAT address, declared by ip route add nat. If it is just a random address the router will not map to it. 1cm NB. The exception is when the address is a local address of this router (or 0.0.0.0) and masquerading is configured in the linux-2.2 kernel. In this case the router will masquerade the packets as this address. If 0.0.0.0 is selected, the result is equivalent to one obtained with firewalling rules. Otherwise, you have the way to order Linux to masquerade to this fixed address. NAT mechanism used in linux-2.4 is more flexible than masquerading, so that this feature has lost meaning and disabled.
If the network has non-trivial internal structure, it is useful and even necessary to add rules disabling translation when a packet does not leave this network. Let us return to the example from sec.8.2 (p.).
300: from 18.104.22.168 to 22.214.171.124/24 lookup main 310: from 126.96.36.199 to 188.8.131.52/24 lookup main 320: from 184.108.40.206 lookup inr.ruhep map-to 220.127.116.11This block of rules causes normal forwarding when packets from 18.104.22.168 do not leave networks 193.233.7/24 and 192.203.80/24. Also, if the
inr.ruheptable does not contain a route to the destination (which means that the routing domain owning addresses from 192.203.80/24 is dead), no translation will occur. Otherwise, the packets are translated.