[CentOS] Setting up a simple NAT on CentOS 3.5 -- 1:1 NAT

Bryan J. Smith thebs413 at earthlink.net
Tue Dec 20 02:41:41 UTC 2005


Rodrigo Barbosa <rodrigob at suespammers.org> wrote:
> The guy just want some temporary NAT services for testing.
> There is no need to configura all of that.

Agreed.  However ...

> That simple iptables ... -j MASQUERADE rule should work if
> there are no other iptables rules anywhere, and all default
> rules are ACCEPT.

Actually, the MASQ target is _not_ recommended when you want
to map many, many systems into various ports.  I see this
come up regularly and it's a very _poor_ move to do
traditional masquerading (NAT+PAT).

Ideally, you should be doing 1:1 NAT, and _no_ PAT.  Not only
reduced overhead on the NAT device because it's not doing PAT
and connection tracking, but you'll see greatly increased
performance (especially on a higher speed corporate network
;-).

Now Linux's performance at this is still suspect at 1:1 NAT
versus even a typical router.  But if you want to do it ...

  iptables -t nat -A PREROUTING -d a.b.c.d -i ethX -j DNAT
--to-destination p.q.r.s
  iptables -t nat -A POSTROUTING -s p.q.r.s -o ethX -j SNAT
--to-source a.b.c.d

Where ethX is your public IP interface.
Where a.b.c.d is your public IP address.
And where p.q.r.s is your private iP address.


-- 
Bryan J. Smith  b.j.smith at ieee.org http://thebs413.blogspot.com
---------------------------------------------------------------
"On the basis of the American view, which may be right, the
 success of the Iraqi political experiment is bound to provide
 a model to be emulated in Syria and in the various countries
 neighbouring Iraq" -- Nur-Al-Din, Al-Safir (Lebanon Periocial)



More information about the CentOS mailing list