Novell LINUX ENTERPRISE DESKTOP 10 SP2 - DEPLOYMENT GUIDE 08-05-2008 Deployment Manual page 751

hosts in the local network connected to the network card (such as eth0) of the router,
they can send any packets not destined for the local network to their default gateway
or router.
IMPORTANT: Using the Correct Network Mask
When configuring your network, make sure both the broadcast address and
the netmask are the same for all local hosts. Failing to do so prevents packets
from being routed properly.
As mentioned, whenever one of the LAN hosts sends a packet destined for an Internet
address, it goes to the default router. However, the router must be configured before it
can forward such packets. For security reasons, this is not enabled in a default installa-
tion. To enable it, set the variable IP_FORWARD in the file /etc/sysconfig/
sysctl to IP_FORWARD=yes.
The target host of the connection can see your router, but knows nothing about the host
in your internal network where the packets originated. This is why the technique is
called masquerading. Because of the address translation, the router is the first destination
of any reply packets. The router must identify these incoming packets and translate
their target addresses, so packets can be forwarded to the correct host in the local net-
work.
With the routing of inbound traffic depending on the masquerading table, there is no
way to open a connection to an internal host from the outside. For such a connection,
there would be no entry in the table. In addition, any connection already established
has a status entry assigned to it in the table, so the entry cannot be used by another
connection.
As a consequence of all this, you might experience some problems with a number of
application protocols, such as ICQ, cucme, IRC (DCC, CTCP), and FTP (in PORT
mode). Web browsers, the standard FTP program, and many other programs use the
PASV mode. This passive mode is much less problematic as far as packet filtering and
masquerading are concerned.
Masquerading and Firewalls 735