[CentOS] Setting up a simple NAT on CentOS 3.5
Robert Moskowitz
rgm at htt-consult.com
Tue Dec 20 00:29:50 UTC 2005
At 12:55 PM 12/19/2005, Bryan J. Smith wrote:
>Robert Moskowitz <rgm at htt-consult.com> wrote:
> > Well I think this system is back on 3.5. How do I tell?
> > Have not used it in a while...
>
>cat /etc/redhat-release
thanks
> > I need a NAT for some quick testing and this box was
> > available. Only a 6gb drive, so I can't install Astaro
> > (which I have licenses for).
> > So is there a simple way to turn on NATing? Should I
> > upgrade to 4.2?
>
>Why would you upgrade to 4.2? NetFilter and the IPTables
>interface has changed little since 2.4.
Good. Just did not know if things were improved enough to warrant it.
>E.g., given a private network of 172.31/16, and an
>Internet-face interface of eth2
>
> /sbin/iptables -A POSTROUTING -t nat -s
>172.31.0.0/255.255.0.0 -o eth2 -j MASQUERADE
> echo "1" >> /proc/sys/net/ipv4/ip_forward
>
>This also assumes you already have existing iptables rules
>regarding ESTABLISHED,RELATED states and other firewall
>rules.
I suspect not. When I installed this system I turned off the Linux
firewall feature.
> > This box is behind a firewall, so security risks are not
> > the issue. This time.
>
>Is your firewall also doing NAT+PAT? If so, then I don't
>recommend 2 layers of NAT+PAT -- especially not on a
>corporate network.
First of, let me introduce myself. Go take a look at RFC 1918 and
look for the name 'Moskowitz'. Also RFCs 2401 - 2412. Yeah, I am
the one that set up the 'environment' to make NATs a fact of
life. Well axtually ROAD imploded and we were left with no real alternative...
No I have public addresses. So one interface is in 65.84.78/24 and
the other is set up as 192.168.192.0/28
But I will be putting a NAT behind it! You see, I want to replicate
one of my production networks, maintaining the IP address scheme, and
still allow the servers to get updates through the double NATing.
I quite know what I am doing on Network Architecture. But I am an
architect/researcher, and have not spent the time learning my Unix
stuff. In fact I have forgetten most of what I knew back in '93 when
I was supporting SUN/386 stuff.
>--
>Bryan J. Smith b.j.smith at ieee.org http://thebs413.blogspot.com
Also see IEEE 802.11i
More information about the CentOS
mailing list