To use the IP masquerade facility, your kernel must be compiled with masquerade support. You must select the following options when configuring a 2.2 series kernel:

Networking options  --->
	[*] Network firewalls
	[*] TCP/IP networking
	[*] IP: firewalling
	[*] IP: masquerading
	--- Protocol-specific masquerading support will be built as modules.
	[*] IP: ipautofw masq support
	[*] IP: ICMP masquerading

Note that some of the masquerade support is available only as a kernel module. This means that you must ensure that you "make modules" in addition to the usual "make zImage" when building your kernel.

The 2.4 series kernels no longer offer IP masquerade support as a kernel compile time option. Instead, you should select the network packet filtering option:

Networking options  --->
    [M] Network packet filtering (replaces ipchains)

In the 2.2 series kernels, a number of protocol-specific helper modules are created during kernel compilation. Some protocols begin with an outgoing request on one port, and then expect an incoming connection on another. Normally these cannot be masqueraded, as there is no way of associating the second connection with the first without peering inside the protocols themselves. The helper modules do just that; they actually look inside the datagrams and allow masquerading to work for supported protocols that otherwise would be impossible to masquerade. The supported protocols are: