At 12:04 AM 8/4/00 -0400, Tammy Fox wrote:
>In Linux, NAT is called ipchains. Visit
>http://www.linuxheadquarters.com/howto/networking/ipchains.shtml for
>instructions on how to set it up for your network. It is much easier to follow
>than the LDP HOWTO.
Actually, in Linux the most familiar form of NAT is called IP Masquerading,
not ipchains. The 2.2.x kernel's "policy routing" features provide a
capacity for doing 1-to-1 NAT as well, though relatively few people are
familiar with it -- you use the facilities of the "ip" program (usually in
the "iproute" package) to control it. Charles Steinkeuhler, a Linux Router
Project (LRP) virtuoso, has built a nice example of this latter capability
in his "EigerStein 1.1" script (check for it at lrp.steinkuehler.com ...
though I'm not sure if 1.1 is posted yet).
ipchains itself is a userspace application, used to configure firewall rules
(packet filtering, mostly) in 2.2.x kernels. In that capacity, it sets some
Masq'ing rules as well. You also need to know about the app ipmasqadm and
about the use of the various ip_masq_*.o modules. The ipfwadm, ipportfw, and
ipautofw userspace apps did the same thing for the 2.0.x kernels, BTW.
Tammy's URL is certainly easy to follow, but that is because it leaves out
most of the important details. If you limit yourself to following the
instructions there, you'll find your LAN lacks a lot of the capabilities
that the Masquerading code can provide (port forwarding, a working ftp
service, irc service, and so on). There are also better ways to handle DNS
than it provides, mainly by running a BIND forwarder on the Linux router.
The Firewall HowTo, while certainly more complicated, actually covers these
additional features. There are separate Ipchains and IP-Masquerading HowTos
as well
It's also a good idea to set up an actual firewall when doing a Masq'd
router of this sort. While ipchains can do this, it takes more than one
ipchains command to set up a proper firewall. Look at (for example) the
Seattle Firewall project (seawall.sourceforge.net) for some good instruction
here. Or look at lrp.c0wz.com for some of the LRP-based material on good
firewall design. Or look at the "ipmasq" Debian package, which autogenerates
a passable firewall.
--
------------------------------------"Never tell me the odds!"---
Ray Olszewski -- Han Solo
Palo Alto, CA [EMAIL PROTECTED]
----------------------------------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.linux-learn.org/faqs
