Well I think this system is back on 3.5. How do I tell? Have not used it in a while...
I need a NAT for some quick testing and this box was available. Only a 6gb drive, so I can't install Astaro (which I have licenses for).
So is there a simple way to turn on NATing? Should I upgrade to 4.2?
This box is behind a firewall, so security risks are not the issue. This time.
On Mon, 2005-12-19 at 11:34 -0500, Robert Moskowitz wrote:
Well I think this system is back on 3.5. How do I tell? Have not used it in a while...
---- cat /etc/redhat-release ----
I need a NAT for some quick testing and this box was available. Only a 6gb drive, so I can't install Astaro (which I have licenses for).
---- multiple NIC's ?
yum install firestarter or http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/c-html/index.html ----
So is there a simple way to turn on NATing? Should I upgrade to 4.2?
---- simple no - NAT requires firewall rules. For this purpose, there shouldn't be much of a difference between CentOS 3 or 4 ----
This box is behind a firewall, so security risks are not the issue. This time.
---- OK
Craig
At 12:09 PM 12/19/2005, Craig White wrote:
On Mon, 2005-12-19 at 11:34 -0500, Robert Moskowitz wrote:
I need a NAT for some quick testing and this box was available. Only a 6gb drive, so I can't install Astaro (which I have licenses for).
multiple NIC's ?
Yes.
yum install firestarter
"Cannot find a package firestarter" or just about that wording...
Now what.
Oh and how do I get the list of installed packages? Been a while (6 months?) and I tend to forget. I better start a journal!
or http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/c-html/index.html
For that I would find my old Astart 4.0 CD and run that for the 2 weeks I have to do this.
On Mon, 2005-12-19 at 19:21 -0500, Robert Moskowitz wrote:
At 12:09 PM 12/19/2005, Craig White wrote:
On Mon, 2005-12-19 at 11:34 -0500, Robert Moskowitz wrote:
I need a NAT for some quick testing and this box was available. Only a 6gb drive, so I can't install Astaro (which I have licenses for).
multiple NIC's ?
Yes.
yum install firestarter
"Cannot find a package firestarter" or just about that wording...
Now what.
---- sorry, I thought firestarter was in centos extras - another reply has links to firestarter rpms ----
Oh and how do I get the list of installed packages? Been a while (6 months?) and I tend to forget. I better start a journal!
or http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/c-html/index.html
For that I would find my old Astart 4.0 CD and run that for the 2 weeks I have to do this.
---- his ipmasq scripts are pretty simple to implement...you should be able to get them up and running in minutes. Fully commented, nice
Craig
Robert Moskowitz rgm@htt-consult.com wrote:
Well I think this system is back on 3.5. How do I tell? Have not used it in a while...
cat /etc/redhat-release
I need a NAT for some quick testing and this box was available. Only a 6gb drive, so I can't install Astaro (which I have licenses for). So is there a simple way to turn on NATing? Should I upgrade to 4.2?
Why would you upgrade to 4.2? NetFilter and the IPTables interface has changed little since 2.4.
E.g., given a private network of 172.31/16, and an Internet-face interface of eth2
/sbin/iptables -A POSTROUTING -t nat -s 172.31.0.0/255.255.0.0 -o eth2 -j MASQUERADE echo "1" >> /proc/sys/net/ipv4/ip_forward
This also assumes you already have existing iptables rules regarding ESTABLISHED,RELATED states and other firewall rules.
This box is behind a firewall, so security risks are not the issue. This time.
Is your firewall also doing NAT+PAT? If so, then I don't recommend 2 layers of NAT+PAT -- especially not on a corporate network.
At 12:55 PM 12/19/2005, Bryan J. Smith wrote:
Robert Moskowitz rgm@htt-consult.com wrote:
Well I think this system is back on 3.5. How do I tell? Have not used it in a while...
cat /etc/redhat-release
thanks
I need a NAT for some quick testing and this box was available. Only a 6gb drive, so I can't install Astaro (which I have licenses for). So is there a simple way to turn on NATing? Should I upgrade to 4.2?
Why would you upgrade to 4.2? NetFilter and the IPTables interface has changed little since 2.4.
Good. Just did not know if things were improved enough to warrant it.
E.g., given a private network of 172.31/16, and an Internet-face interface of eth2
/sbin/iptables -A POSTROUTING -t nat -s 172.31.0.0/255.255.0.0 -o eth2 -j MASQUERADE echo "1" >> /proc/sys/net/ipv4/ip_forward
This also assumes you already have existing iptables rules regarding ESTABLISHED,RELATED states and other firewall rules.
I suspect not. When I installed this system I turned off the Linux firewall feature.
This box is behind a firewall, so security risks are not the issue. This time.
Is your firewall also doing NAT+PAT? If so, then I don't recommend 2 layers of NAT+PAT -- especially not on a corporate network.
First of, let me introduce myself. Go take a look at RFC 1918 and look for the name 'Moskowitz'. Also RFCs 2401 - 2412. Yeah, I am the one that set up the 'environment' to make NATs a fact of life. Well axtually ROAD imploded and we were left with no real alternative...
No I have public addresses. So one interface is in 65.84.78/24 and the other is set up as 192.168.192.0/28
But I will be putting a NAT behind it! You see, I want to replicate one of my production networks, maintaining the IP address scheme, and still allow the servers to get updates through the double NATing.
I quite know what I am doing on Network Architecture. But I am an architect/researcher, and have not spent the time learning my Unix stuff. In fact I have forgetten most of what I knew back in '93 when I was supporting SUN/386 stuff.
-- Bryan J. Smith b.j.smith@ieee.org http://thebs413.blogspot.com
Also see IEEE 802.11i
Robert Moskowitz rgm@htt-consult.com wrote:
I suspect not. When I installed this system I turned off the Linux firewall feature.
I think if you allow everything in by default, you're okay. My comments on the "state" setting was if you were dropping packets by default.
First of, let me introduce myself. Go take a look at RFC 1918 and look for the name 'Moskowitz'. Also RFCs 2401 - 2412. Yeah, I am the one that set up the 'environment' to make NATs a fact of life.
Okay, I know where you're coming from.
BTW, I like to refer to it as DNAT, SNAT -- collectively as NAT+PAT -- as to differentiate from 1:1 NAT (no PAT). But that's just me being anal.
Well axtually ROAD imploded and we were left with no real alternative... No I have public addresses. So one interface is in 65.84.78/24 and the other is set up as 192.168.192.0/28 But I will be putting a NAT behind it!
Hmmm, in a corporate environment, I still try to avoid NAT+PAT, and setup my routers to route between networks. But since the address schemes aren't contiguous, one NAT+PAT between a public and private is not bad.
Now 1:1 NAT, I have no problem with on a corporate network. That's completely different, and should be considered a better option if possible. But I leave it to you.
You see, I want to replicate one of my production networks, maintaining the IP address scheme, and still allow the
servers
to get updates through the double NATing.
Then consider 1:1 NAT instead -- then you have a 1:1 relationship of servers, you can route directly, etc...
I quite know what I am doing on Network Architecture. But I am an architect/researcher, and have not spent the time learning my Unix stuff. In fact I have forgetten most of
what
I knew back in '93 when I was supporting SUN/386 stuff.
Again, I can appreciate where you are coming from.
One of my 6 month consulting gigs was working on the 2nd largest private network in the US. I could tell rather quickly when people were either using "default routes" or putting in "NAT+PAT" devices on our network.
[ I'm sure some of my critics will now use that last paragraph against me yet again -- even though, yet again, I wasn't the person who stated any credentials first. ]
On Monday 19 December 2005 11:34, Robert Moskowitz wrote:
Well I think this system is back on 3.5. How do I tell? Have not used it in a while...
I need a NAT for some quick testing and this box was available. Only a 6gb drive, so I can't install Astaro (which I have licenses for).
So is there a simple way to turn on NATing? Should I upgrade to 4.2?
This box is behind a firewall, so security risks are not the issue. This time.
Firestarter will take about 5 minutes to set up: http://prdownloads.sourceforge.net/firestarter/firestarter-1.0.3-1.i386.rpm?...
If you want greater control (multiple IPs on virtual interfaces), try shorewall: http://www.shorewall.net/
Also, if you want DHCP, you need to do a yum install dhcp. Firestarter will configure DHCPd for you, but it will not install it.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, Dec 19, 2005 at 08:01:09PM -0500, ryan wrote:
On Monday 19 December 2005 11:34, Robert Moskowitz wrote:
Well I think this system is back on 3.5. How do I tell? Have not used it in a while...
I need a NAT for some quick testing and this box was available. Only a 6gb drive, so I can't install Astaro (which I have licenses for).
So is there a simple way to turn on NATing? Should I upgrade to 4.2?
This box is behind a firewall, so security risks are not the issue. This time.
Firestarter will take about 5 minutes to set up: http://prdownloads.sourceforge.net/firestarter/firestarter-1.0.3-1.i386.rpm?...
If you want greater control (multiple IPs on virtual interfaces), try shorewall: http://www.shorewall.net/
Also, if you want DHCP, you need to do a yum install dhcp. Firestarter will configure DHCPd for you, but it will not install it.
The guy just want some temporary NAT services for testing. There is no need to configura all of that.
That simple iptables ... -j MASQUERADE rule should work if there are no other iptables rules anywhere, and all default rules are ACCEPT.
[]s
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
Rodrigo Barbosa rodrigob@suespammers.org wrote:
The guy just want some temporary NAT services for testing. There is no need to configura all of that.
Agreed. However ...
That simple iptables ... -j MASQUERADE rule should work if there are no other iptables rules anywhere, and all default rules are ACCEPT.
Actually, the MASQ target is _not_ recommended when you want to map many, many systems into various ports. I see this come up regularly and it's a very _poor_ move to do traditional masquerading (NAT+PAT).
Ideally, you should be doing 1:1 NAT, and _no_ PAT. Not only reduced overhead on the NAT device because it's not doing PAT and connection tracking, but you'll see greatly increased performance (especially on a higher speed corporate network ;-).
Now Linux's performance at this is still suspect at 1:1 NAT versus even a typical router. But if you want to do it ...
iptables -t nat -A PREROUTING -d a.b.c.d -i ethX -j DNAT --to-destination p.q.r.s iptables -t nat -A POSTROUTING -s p.q.r.s -o ethX -j SNAT --to-source a.b.c.d
Where ethX is your public IP interface. Where a.b.c.d is your public IP address. And where p.q.r.s is your private iP address.
-
Bryan J. Smith -
Craig White -
Robert Moskowitz -
Rodrigo Barbosa -
ryan