At 12:55 PM 12/19/2005, Bryan J. Smith wrote: >Robert Moskowitz <rgm at htt-consult.com> wrote: > > Well I think this system is back on 3.5. How do I tell? > > Have not used it in a while... > >cat /etc/redhat-release thanks > > I need a NAT for some quick testing and this box was > > available. Only a 6gb drive, so I can't install Astaro > > (which I have licenses for). > > So is there a simple way to turn on NATing? Should I > > upgrade to 4.2? > >Why would you upgrade to 4.2? NetFilter and the IPTables >interface has changed little since 2.4. Good. Just did not know if things were improved enough to warrant it. >E.g., given a private network of 172.31/16, and an >Internet-face interface of eth2 > > /sbin/iptables -A POSTROUTING -t nat -s >172.31.0.0/255.255.0.0 -o eth2 -j MASQUERADE > echo "1" >> /proc/sys/net/ipv4/ip_forward > >This also assumes you already have existing iptables rules >regarding ESTABLISHED,RELATED states and other firewall >rules. I suspect not. When I installed this system I turned off the Linux firewall feature. > > This box is behind a firewall, so security risks are not > > the issue. This time. > >Is your firewall also doing NAT+PAT? If so, then I don't >recommend 2 layers of NAT+PAT -- especially not on a >corporate network. First of, let me introduce myself. Go take a look at RFC 1918 and look for the name 'Moskowitz'. Also RFCs 2401 - 2412. Yeah, I am the one that set up the 'environment' to make NATs a fact of life. Well axtually ROAD imploded and we were left with no real alternative... No I have public addresses. So one interface is in 65.84.78/24 and the other is set up as 192.168.192.0/28 But I will be putting a NAT behind it! You see, I want to replicate one of my production networks, maintaining the IP address scheme, and still allow the servers to get updates through the double NATing. I quite know what I am doing on Network Architecture. But I am an architect/researcher, and have not spent the time learning my Unix stuff. In fact I have forgetten most of what I knew back in '93 when I was supporting SUN/386 stuff. >-- >Bryan J. Smith b.j.smith at ieee.org http://thebs413.blogspot.com Also see IEEE 802.11i