[CentOS] Setting up a simple NAT on CentOS 3.5 -- 1:1 NAT
Bryan J. Smith
thebs413 at earthlink.net
Tue Dec 20 02:41:41 UTC 2005
Rodrigo Barbosa <rodrigob at suespammers.org> wrote:
> The guy just want some temporary NAT services for testing.
> There is no need to configura all of that.
Agreed. However ...
> That simple iptables ... -j MASQUERADE rule should work if
> there are no other iptables rules anywhere, and all default
> rules are ACCEPT.
Actually, the MASQ target is _not_ recommended when you want
to map many, many systems into various ports. I see this
come up regularly and it's a very _poor_ move to do
traditional masquerading (NAT+PAT).
Ideally, you should be doing 1:1 NAT, and _no_ PAT. Not only
reduced overhead on the NAT device because it's not doing PAT
and connection tracking, but you'll see greatly increased
performance (especially on a higher speed corporate network
;-).
Now Linux's performance at this is still suspect at 1:1 NAT
versus even a typical router. But if you want to do it ...
iptables -t nat -A PREROUTING -d a.b.c.d -i ethX -j DNAT
--to-destination p.q.r.s
iptables -t nat -A POSTROUTING -s p.q.r.s -o ethX -j SNAT
--to-source a.b.c.d
Where ethX is your public IP interface.
Where a.b.c.d is your public IP address.
And where p.q.r.s is your private iP address.
--
Bryan J. Smith b.j.smith at ieee.org http://thebs413.blogspot.com
---------------------------------------------------------------
"On the basis of the American view, which may be right, the
success of the Iraqi political experiment is bound to provide
a model to be emulated in Syria and in the various countries
neighbouring Iraq" -- Nur-Al-Din, Al-Safir (Lebanon Periocial)
More information about the CentOS
mailing list