Postrouting and IP Masquerading in Linux
IPTables is responsible to handle packet filtering in Linux system. IPTables contains several predefined and/or user-defined tables. Each table contains chains and chain contain packet rules. IPTables uses NAT table to forward packets to another node.
What is POSTROUTING?
A Postrouting chain in NAT table means altering the IP packet after the routing is completed. Logically, a postrouting can be used to change the Source Address. As the routing is completed and destination has his own address, the only unknown address that can be masked is the Source. This is why postrouting is used for SNAT.
What is IP MASQUERADING?
Now, when a packet leaves the local network and tries to travel the public network, it will fail to traverse if it keeps using the local details. This is where IP Masquerading plays the role. IP Masquerading is masking the packet with identity of the external interface.
How POSTROUTING and MASQUERADING relates?
When a packet arrives to the local gateway that has external interface, masks the packet with IP Masquerading and send it through the public interface. That says, packet has to be routed first before mangling it for Masquerading. That is why, you need to apply the Masquerading target on the Postrouting chain of the NAT table.
How to setup Masquerading in Linux Firewall?
The following command will enable IP Masquerading in Linux Firewall:
$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
The above rule will use NAT table (-t nat) on built-in Postrouting Chain (-A POSTROUTING) on interface eth0 (-o eth0).
The target Masquerade (-j MASQUERADE) advises to mask the above matched IP packets from the related table to external interface of the system.
Thus the above, would allow the local networks to gain access to external network through IP Masquerading.
Source: Mellowhost
