Chapter 12. NAT (Network Address Translation) and IP Forwarding

Previous page
Table of content
Next page


By far perhaps the most common use of Linux firewalls these days are in SOHO (Small Office/Home Office) environments. NAT-ing, or setting up a firewall to perform Network Address Translation (NAT) services, is simply a method of translating one address space to anotheror to be more specific in terms of SOHO users, a method of sharing a single network connection amongst multiple machines. NAT-ing is probably one of the most common uses of a firewall.

For more advanced installations, we can use NAT to create "DMZ" networks (short for De-Militarized Zones), which are networks that sit off to the "side" of the firewall so to speak. DMZs are dedicated to some specific task such as hosting corporate web, mail, DNS, and so on. A DMZ network would be used to provide limited access to/from those systems from other networks for the purpose of isolating those systems from the internal network and the Internet. The intent is to not only protect those servers, but also to protect the internal network from them. After all, they are exposed to some untrusted network, the Internet perhaps, and those servers have a higher probability of being broken into. But because they are isolated on a DMZ network, those servers cannot be used to break into the internal network if the firewall is configured properly. A word of caution: A DMZ is only a DMZ if the firewall is configured to isolate the systems on that DMZ network from some other network. If you punch holes in your firewall, allowing the DMZ servers to connect back into your Internet network(s), you're seriously weakening if not outright eliminating the protections you get by isolating your DMZ servers.

Some example uses of a DMZ network would be to create a DMZ for all your wireless access points (see the VPN chapter for more information on this) and to use that DMZ to limit what your wireless users can access on your internal "wired" network. Another use of a DMZ might be to allow access to your web or mail servers from networks outside of your control (like the Internet) or a partner's network. The value of such a configuration, as already described, is that if your mail or web servers are compromised, an intruder could not use access to those systems to leverage access into your internal network.

In this chapter we will cover diagnostic procedures for some of the most common NAT problems and provide examples of how to create specific types of firewalls. Specifically, debugging common DMZ mistakes, issues with the common network hardware, methods to aid you in debugging NAT or IP forwarding issues, and some frequently asked questions regarding Network Address Translation and IP Forwarding configurations will be discussed.

Recall that before starting on any of these steps, you will want to apply the troubleshooting methodology covered in Chapter 4, and the OSI model technique in Chapter 5 to rule out other root causes in lower parts of the OSI model (Layers 1 and 2) and also to correctly identify and recreate the problem before attempting any of these troubleshooting steps.


    Previous page
    Table of content
    Next page
    Troubleshooting Linux Firewalls
    Troubleshooting Linux Firewalls
    ISBN: 321227239
    EAN: N/A
    Year: 2004
    Pages: 169
    BUY ON AMAZON
    SQL Hacks
    Cisco IOS in a Nutshell (In a Nutshell (OReilly))
    Data Structures and Algorithms in Java
    Introducing Microsoft ASP.NET AJAX (Pro - Developer)
    After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
    The Oracle Hackers Handbook: Hacking and Defending Oracle
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy