Common Questions about Linux NAT

Previous page
Table of content
Next page


Q:

What's the real difference between masquerading and SNAT?

A:

Both are methods of moving traffic between networks through the firewall. In practice, masquerading is going to be the right choice when you're dealing with dynamic external IP addresses (Internet facing, and so on) on your firewall, and SNAT is going to be the right choice when that IP address is static and/or you're looking to allow connections back through your firewall to your internal network. Additionally the overhead of supporting SNAT connections is lower than that of supporting masqueraded connections.

Q:

Can iptables/netfilter rules use hostnames for DNAT rules rather than IP addresses?

A:

Yes and no. You can certainly use a hostname instead of an IP address in a firewall rule; however, when the rule is loaded, this is converted into an IP address. So if the intent is to get an effect like name-based virtual hosting in apachewhere multiple hostnames point to a single IP address and you want to route those connections to different internal machines based on the hostname, iptables is not capable of doing this by itself. However the addition of a user space application-layer proxy, such as the http proxy, squid (http://www.squid-cache.org), or the user space utility, iproute2 (ftp://ftp.inr.ac.ru/ip-routing/), would allow you to do this.

Q:

My filter rules aren't working in a NAT environment!

A:

One mistake you don't want to make is to use DROP/REJECT rules inside of a NAT table. This is because the NAT table makes heavy use of connection tracking, which simply put, means it's not going to see all the packets. If the firewall cannot see all the packets, then it's pretty likely that you're going to be leaking informationor worse, packets in and out of your network.

You'll also see this happen using the nmap tests discussed in Chapter 10 when your rules are out of order. Make sure you have your DROP rules before your ALLOW rules. A good way to do this is to set a global DENY ALL type rule first and then selectively allow what kind of traffic you want to allow through after that in each step.


    Previous page
    Table of content
    Next page
    Troubleshooting Linux Firewalls
    Troubleshooting Linux Firewalls
    ISBN: 321227239
    EAN: N/A
    Year: 2004
    Pages: 169
    BUY ON AMAZON
    ERP and Data Warehousing in Organizations: Issues and Challenges
    Absolute Beginner[ap]s Guide to Project Management
    Inside Network Security Assessment: Guarding Your IT Infrastructure
    Strategies for Information Technology Governance
    Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
    Cisco CallManager Fundamentals (2nd Edition)
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy