6.9. NAT with kernel 2.2 or higher

The IP network address translation, NAT, is a replacement that has made the features of GNU/Linux IP Masquerade obsolete and that provides new features to the service. One of the improvements included in the TCP/IP stack of GNU/Linux 2.2 is that NAT is integrated into the kernel. In order to use it, we have to compile the kernel with:


And if we need comprehensive control of the NAT rules (for example, to activate the firewall we must also have


In order to work with these new features, we need to use the ip program (which can be obtained at ftp://ftp.inr.ac.ru/ip_routing/). Then, to translate the incoming datagram addresses, we can use:

ip route add nat <extaddr>[/<masklen>] via <intaddr>

This will translate the destination address of an incoming packet addressed to ext-addr (the address that is visible externally from Internet) to int-addr (the address of the internal network through the gateway/firewall). The packet is routed in accordance with the local route table. Single or block addresses can be translated. For example:

ip route add nat via
ip route add nat via

The first makes the internal address accessible as The second remaps the block to In this case, we have used, as an example, translations to class D and E addresses, such as 240.0.*.* so as not to use a public address. The user must replace these addresses ( and for the corresponding public addresses to which they wish to translate. [Ran05]