[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: how do i NAT a legacy network ?


Basically there are two 'current' kernel level implementations for doing ip-filtering and masquerading.  They are:
	ipfwadm		kernel 2.0.*
	ipchains	kernel 2.2.*
There will be a new system for 2.4.* as you note which is more generic and technically could support non-IP protocols (woo woo securing DECnet!).

In either instance you can masquerade a network range behind the public IP of the Linux box.

For various reasons I am more familiar with ipfwadm.  Under that system there are no masquerading rules just forwarding rules that masquerade so it is very straightforward.  The ipmasquerading HOWTO, and the Firewalls HOWTO are both very good.

So in short you can hide the network behind the Linux box however there is a wrinkle ;-)  I am not aware (I could be wrong ofc) of either solution supporting 'illegal NAT' where the system understands that the internal LAN IP's are wrong: so I don't think you will be able to connect to Internet hosts in the 95.*.*.* range because the Linux box will assume that these IP's are on the local side.  I'm afraid you're a bit snookered using a Class A range like that.

You can use something called port forwarding to allow access to the web server on the LAN from the Internet.  I cannot stress too heavily what a bad idea this is since if the server gets cracked you have left a nice open path into your LAN.  You would be better using a third interface on the Linux box and placing the web server here - sometimes this is called a DMZ (DeMilitarised Zone) which is an area with s lower security level but still protected.  If you want to know more I'd suggest reading/digesting 'Firewalls and Internet Security' by Chewsick and Bellovin.

To be honest if you have FW-1 in and a support company that is reliable I can't see what advantages there are to throwing it out in place of Linux.



On Thu, Oct 07, 1999 at 11:48:10AM +0530, venu wrote:
> we have a legacy network which has IPs : 95.x.x.x ( NOT REGISTERED, i.e illegal)
> that we can't change now !!! ( those network enginners of 1994,when the network
> was installed; obviously did not know about rfc1918  )
> now we want to connect this network to the Internet... we cannot re-number our
> network... so i looked at using a linux box with NAT ...that should be straight
> forward ... right ? wrong ! hey this is fun !!
> and i am a bit confused...

Reply to: