This article is expected to provide a very basic exposure on IP masquerading and its use cases.
IP masquerade is a process by which “one” device acts as a “IP Gateway” for the network. All devices in the network which are behind this gateway will send their network packets to this gateway.
The gateway device manage a routing table of source IP address ( from internal network) and destination IP address ( which is out there in internet esp. while trying to access internet sites). This gateway device will re-write the packet, replacing “source-IP” with “gateway-IP” and then forwards it to the internet. The hosts on the internet see that packet is arriving from “gateway-IP” and is not aware of the hosts that are behind this device.
The hosts on the internet when the respond to the packet, the reply packet will have “source-IP” as “internet host IP” and “destination-IP” as “gateway-IP”. When this packet arrive in “gateway-device”, the routing table is checked to find the internal device to which this packet should be forwarded, then “gateway-device” will replace the “destination-IP” from “gateway-IP” to “internal-device-IP” and forward to internal device.
An important point to note, only the devices that are behind the “gateway” on the internal network can initiate the “outbound” connections. No “inbound” connection can be established, i.e. a device on the internet cannot initiate a connection directly to an “internal-device”. The inward connection cannot be established due to the reason that the process listening on a port produces no packet. The program is just bind to the port and doesn’t announce that it is listening – just that it listen. The external host will have no way of knowing if the connection can succeed, it will send a connection packet to the destination address, but if there no host at the destination address that connection would fail.
On the masqueraded network, the only IP address visible on the internet is the “gateway-device-IP” address. If a network translation is not defined the “gateway” device then there is no way an inbound packet to gateway device will be able to re-write to the destination device in the internal network