[CentOS] Setting up a simple NAT on CentOS 3.5

Tue Dec 20 02:19:28 UTC 2005
Bryan J. Smith <thebs413 at earthlink.net>

Robert Moskowitz <rgm at htt-consult.com> wrote:
> I suspect not.  When I installed this system I turned off
> the Linux firewall feature.

I think if you allow everything in by default, you're okay. 
My comments on the "state" setting was if you were dropping
packets by default.

> First of, let me introduce myself.  Go take a look at RFC
> 1918 and look for the name 'Moskowitz'.  Also RFCs 2401 -
> 2412.  Yeah, I am the one that set up the 'environment' to
> make NATs a fact of life.

Okay, I know where you're coming from.

BTW, I like to refer to it as DNAT, SNAT -- collectively as
NAT+PAT -- as to differentiate from 1:1 NAT (no PAT).  But
that's just me being anal.

> Well axtually ROAD imploded and we were left with no
> real alternative...
> No I have public addresses.  So one interface is in
> 65.84.78/24 and the other is set up as 192.168.192.0/28
> But I will be putting a NAT behind it!

Hmmm, in a corporate environment, I still try to avoid
NAT+PAT, and setup my routers to route between networks.  But
since the address schemes aren't contiguous, one NAT+PAT
between a public and private is not bad.

Now 1:1 NAT, I have no problem with on a corporate network. 
That's completely different, and should be considered a
better option if possible.  But I leave it to you.

> You see, I want to replicate one of my production networks,
> maintaining the IP address scheme, and still allow the
servers
> to get updates through the double NATing.

Then consider 1:1 NAT instead -- then you have a 1:1
relationship of servers, you can route directly, etc...

> I quite know what I am doing on Network Architecture.  But
> I am an architect/researcher, and have not spent the time
> learning my Unix stuff.  In fact I have forgetten most of
what
> I knew back in '93 when I was supporting SUN/386 stuff.

Again, I can appreciate where you are coming from.

One of my 6 month consulting gigs was working on the 2nd
largest private network in the US.  I could tell rather
quickly when people were either using "default routes" or
putting in "NAT+PAT" devices on our network.

[ I'm sure some of my critics will now use that last
paragraph against me yet again -- even though, yet again, I
wasn't the person who stated any credentials first. ]


-- 
Bryan J. Smith  b.j.smith at ieee.org http://thebs413.blogspot.com
---------------------------------------------------------------
"On the basis of the American view, which may be right, the
 success of the Iraqi political experiment is bound to provide
 a model to be emulated in Syria and in the various countries
 neighbouring Iraq" -- Nur-Al-Din, Al-Safir (Lebanon Periocial)