[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SNAT or MASQUERADE?



On Sun, 2 Dec 2001 11:36:20 +1000,
  mdevin@ozemail.com.au wrote:
> I am trying to figure out which is the best way to do some
> masquerading of my internal LAN.
<snip> 
> Which would be the best way in terms of efficiency and security?

SNAT would be. However, you better make sure that each time the IP
address of your interface changes, your firewall script runs. You could
do this in Debian by putting your firewall script in /etc/ppp/ip-up.d/.
But also please keep in mind that your firewall rules should be put in
place *before* any external interfaces are brought on-line.

Since you can't determine the IP address without the interface being
on-line, your firewall should run in two parts; first, setting the
strict don't-accept-any-of-these-connections rules(in my case, I set the
policy of INPUT and FORWARD to DROP), a second script to set up the NAT.

--
 .--=====-=-=====-=========----------=====-----------=-=-----=.
/    David Barclay Harris            Aut agere, aut mori.      \
\        Clan Barclay              Either action, or death.    /
 `-------======-------------=-=-----=-===-=====-------=--=----'

Attachment: pgpte1MJoWP9i.pgp
Description: PGP signature


Reply to: