What is the relationship between port-forwarding and masquerading?
If server A is configured to masquerade its clients, and client B accesses the Internet through server A,
then since client B is masquerading as server A, is that essentially the same thing as having all of client B's ports forwarded?
Masquerading: All machines in your internal network appear at the same (set of) public addresses. I.e., you can have 8 public IP addresses, and a network of 200 machines with private addresses using them to go "outside". When a host inside wants to open a connection to the outside, the connection gets assigned an IP address and port from this pool. It was conceived as a way of conserving IPv4 addresses when it became clear they were going scarce, and then (ab)used as a security measure (any incomming connections are at the mercy of the machine doing the translating). This is usually called NAT (Network Address Translation), if there is just one public address it is more accurately called PAT (Port Address Translation, only ports are translated). But both are usually named NAT.
Port forwarding: All traffic directed at a certain IP address and port are sent to another address and port, any responses follow the reverse path. This is usually coupled with masquerading (i.e., outside accesses the HTTP or SMTP ports on one of the masquerading addresses, traffic to that port is handled by the internal machine offering that service). It can also be done if both the forwarder and its target have public addresses, but it is rather pointless.
Firewall: A machine filtering traffic between networks, typically an internal network and the Internet, but it could also separate two internal networks. The firewall inspects connection requests and/or flowing traffic, and denies traffic (or modifies it). Is usually combined with the above two.
Masquerading = NAT
Port forwarding = telling NAT to forward new incoming traffic on a certain port to another IP and port "behind it".
If you didn't set up port forwarding on A, B isn't going to receive any new incoming connections from outside of A.
The purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading. Traffic from your private network destined for the Internet must be manipulated for replies to be routable back to the machine that made the request. To do this, the kernel must modify the source IP address of each packet so that replies will be routed back to it, rather than to the private IP address that made the request, which is impossible over the Internet. Linux uses Connection Tracking (conntrack) to keep track of which connections belong to which machines and reroute each return packet accordingly. Traffic leaving your private network is thus "masqueraded" as having originated from your Ubuntu gateway machine. This process is referred to in Microsoft documentation as Internet Connection Sharing.
https://help.ubuntu.com/lts/serverguide/firewall.html.en#ip-masquerading
All network connection requests include a "port". The port is just a number, and it's part of how a computer knows what the packet is. IANA has specified that Port 80 is used for HTTP. This means that an incoming packet that says port number 80 must be a request intended for a web server. Port forwarding on your router allows you to enter a port number (or possibly a range or combination of numbers, depending on the router), and an IP address. All incoming connections with a matching port number will be forwarded to the internal computer with that address.
Also have a look here: https://superuser.com/questions/284051/what-is-port-forwarding-and-what-is-it-used-for
