IP masquerading is a form of network address translation (NAT) which allows internal computers with no known address
outside their network, to communicate to the outside. It allows one machine to act on behalf of other machines. It’s similar to
someone buying stocks through a broker (without considering the monetary transaction). The person buying stocks, tells the
broker to buy the stocks, the broker gets the stocks and passes them to the person who made the purchase. The broker acts on
behalf of the stock purchaser as though he was the one buying the stock. No one who sold the stock knew or cared about
whether the broker was buying for himself or someone else.
Please DO NOT confuse routers with firewalls and the performance of IP masquerading. The commands that allow IP
masquerading are a simple form of a firewall, however routing is a completely different function, as described previously.
Setting a computer up to act as a router is completely different than setting up a computer to act as a firewall. Although the two
functions are similar in that the router or firewall will act as a communication mechanism between two networks or subnets,
the similarity ends there. A computer can be either a router or a firewall, but not both. If you set up a computer to act as both a
router and a firewall, you have defeated the purpose of your firewall!
If you refer to the diagram below, the machines on network 192.168.2.x will obtain services through gateway B using IP
masquerading, when gateway B is setup properly. What basically happens when IP masquerading is set up on gateway B is
described in the following example. If machine S6 tries to ping S2, its ping packages will be wrapped in a package for its
default gateway, gateway B, because S6 knows by its netmask that S2 in on another network. When gateway B receives the
packages from S6, it converts them to ping packages as though they were sent from itself and sends them to S2. As far as S2
can tell, gateway B has pinged it. S2 receives the packages and responds to gateway B. Gateway B then converts the packages
to be addressed to S6 and sends them. This is why it is called IP masquerading, since gateway B masquerades for machines S4,
S5, and S6. Machines S1 through S3 and gateway A cannot initiate any communication with S4 through S6. In fact they have
no way to know that those machines even exist!