RTFM about masquerading:
-m Masquerade packets accepted for forwarding. When
this option is set, packets accepted by this rule
will be masqueraded as if they originated from the
local host. Furthermore, reverse packets will be
recognized as such and they will be demasqueraded
automatically, bypassing the forwarding firewall.
This option is only valid in forwarding firewall
rules with policy accept (or when specifying accept
as default policy) and can only be used when the
kernel is compiled with CONFIG_IP_MASQUERADE
This paragraph describes the way a packet goes through the
firewall and accounting rules. Packets received via one
of the local network interface will pass the following
sets of rules:
accounting (incoming device)
input firewall (incoming device)
Here, the device (network interface) that is used when
trying to match a rule with an IP packet is listed between
brackets. After this step, a packet will optionally be
redirected to a local socket. When a packet has to be
forwarded to a remote host, it will also pass the next set
forwarding firewall (outgoing device)
After this step, a packet will optionally be masqueraded.
Responses to masqueraded packets will never pass the for
warding firewall (but they will pass both the input and
output firewalls). All packets sent via one of the local
network interfaces, either locally generated or being for
warded, will pass the following sets of rules:
output firewall (outgoing device)
accounting (outgoing device)
Note that masqueraded packets will pass the output fire
wall and accounting rules with the new packet headers
(after passing the input and forwarding firewall with the
original headers). Also, responses to masqueraded packets
will have different headers when passing the input and
output firewall rules.
Now, i want to setup masquerading with this topology:
Provider (ISP-IP) <---> FW/MASQU (FW-IP) <---> INTERNAL (OWN-IP)
Consider sending mail from OWN-IP to ISP-IP with masquerading:
The firewall will use IP-Headers:
forward : OWN-IP
outgoing: FW-IP (masqueraded, uses temp. port)
and responses will use:
incoming: FW-IP (temp. port)
This leads to the following:
- in order to masquerade the packets, they must be accepted for forwarding
with original IP-Header.
- outgoing IP-Headers are using FW-IP on temporary port
=>in order to use masquerading, i have to allow the
temporary used "masquade-ports" on the firewall in incoming direction!
What about e.g. incoming mail ?
The ISP only knows the (masqueraded) FW-IP as a reachable host. So the get
incoming mail working, IP-Redirection has to be used, to connect the
incoming SMTP-connection to the mailhost.
1) I don´t want to allow any connection with destination adress
of my firewall
2) IP-Redirection is in alpha/beta yet (?), so i don´t want to
use this too,
3) In order to use masquerading, i have to use a dedicated masquerading
host, e.g. with the following topology:
Provider (ISP-IP) <---> FW (FW-IP) <---> MASQU (MQ-IP) <---> INTERNAL (OWN-IP)
Any suggestions for this scenario ?
Is my interpretation correct ?
How do you setup masquerading ?