[CentOS] Setting up a simple NAT on CentOS 3.5

Tue Dec 20 00:29:50 UTC 2005
Robert Moskowitz <rgm at htt-consult.com>

At 12:55 PM 12/19/2005, Bryan J. Smith wrote:
>Robert Moskowitz <rgm at htt-consult.com> wrote:
> > Well I think this system is back on 3.5.  How do I tell?
> > Have not used it in a while...
>
>cat /etc/redhat-release

thanks

> > I need a NAT for some quick testing and this box was
> > available.  Only a 6gb drive, so I can't install Astaro
> > (which I have licenses for).
> > So is there a simple way to turn on NATing?  Should I
> > upgrade to 4.2?
>
>Why would you upgrade to 4.2?  NetFilter and the IPTables
>interface has changed little since 2.4.

Good. Just did not know if things were improved enough to warrant it.

>E.g., given a private network of 172.31/16, and an
>Internet-face interface of eth2
>
>   /sbin/iptables -A POSTROUTING -t nat -s
>172.31.0.0/255.255.0.0 -o eth2 -j MASQUERADE
>   echo "1" >> /proc/sys/net/ipv4/ip_forward
>
>This also assumes you already have existing iptables rules
>regarding ESTABLISHED,RELATED states and other firewall
>rules.

I suspect not.  When I installed this system I turned off the Linux 
firewall feature.

> > This box is behind a firewall, so security risks are not
> > the issue.  This time.
>
>Is your firewall also doing NAT+PAT?  If so, then I don't
>recommend 2 layers of NAT+PAT -- especially not on a
>corporate network.

First of, let me introduce myself.  Go take a look at RFC 1918 and 
look for the name 'Moskowitz'.  Also RFCs 2401 - 2412.  Yeah, I am 
the one that set up the 'environment' to make NATs a fact of 
life.  Well axtually ROAD imploded and we were left with no real alternative...

No I have public addresses.  So one interface is in 65.84.78/24 and 
the other is set up as 192.168.192.0/28

But I will be putting a NAT behind it!  You see, I want to replicate 
one of my production networks, maintaining the IP address scheme, and 
still allow the servers to get updates through the double NATing.

I quite know what I am doing on Network Architecture.  But I am an 
architect/researcher, and have not spent the time learning my Unix 
stuff.  In fact I have forgetten most of what I knew back in '93 when 
I was supporting SUN/386 stuff.

>--
>Bryan J. Smith  b.j.smith at ieee.org http://thebs413.blogspot.com

Also see IEEE 802.11i